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NEW QUESTION 1 
You are trying to launch an EC2 instance, however the instance seems to go into a terminated status immediately. What would probably not be a reason that this 
is happening? 


A. The AMI is missing a required part. 

B. The snapshot is corrupt. 

C. You need to create storage in EBS first. 
D. You've reached your volume limi 


Answer: C 


Explanation: Amazon EC2 provides a virtual computing environments, known as an instance. 

After you launch an instance, AWS recommends that you check its status to confirm that it goes from the pending status to the running status, the not terminated 
status. 

The following are a few reasons why an Amazon EBS-backed instance might immediately terminate: You've reached your volume limit. 

The AM is missing a required part. The snapshot is corrupt. Reference: 
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_|nstanceStraightToTerminated.html 


NEW QUESTION 2 
In Amazon EC2 Container Service components, what is the name of a logical grouping of container instances on which you can place tasks? 


A. A cluster 

B. A container instance 
C. A container 

D. A task definition 


Answer: A 


Explanation: Amazon ECS contains the following components: 

A Cluster is a logical grouping of container instances that you can place tasks on. 

A Container instance is an Amazon EC2 instance that is running the Amazon ECS agent and has been registered into a cluster. 

A Task definition is a description of an application that contains one or more container definitions. A Scheduler is the method used for placing tasks on container 
instances. 

A Service is an Amazon ECS service that allows you to run and maintain a specified number of instances of a task definition simultaneously. 

A Task is an instantiation of a task definition that is running on a container instance. A Container is a Linux container that was created as part of a task. 
Reference: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html 


NEW QUESTION 3 
Can a user get a notification of each instance start / terminate configured with Auto Scaling? 


A. Yes, if configured with the Launch Config 

B. Yes, always 

C. Yes, if configured with the Auto Scaling group 
D. No 


Answer: C 


Explanation: The user can get notifications using SNS if he has configured the notifications while creating the Auto Scaling group. 
Reference: http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/GettingStartedT utorial.html 


NEW QUESTION 4 
After you recommend Amazon Redshift to a client as an alternative solution to paying data warehouses to analyze his data, your client asks you to explain why you 
are recommending Redshift. Which of the following would be a reasonable response to his request? 


A. It has high performance at scale as data and query complexity grows. 

B. It prevents reporting and analytic processing from interfering with the performance of OLTP workloads. 

C. You don't have the administrative burden of running your own data warehouse and dealing with setup, durability, monitoring, scaling, and patching. 
D. All answers listed are a reasonable response to his QUESTION 


Answer: D 


Explanation: Amazon Redshift delivers fast query performance by using columnar storage technology to improve I/O efficiency and parallelizing queries across 
multiple nodes. Redshift uses standard PostgreSQL JDBC and ODBC drivers, allowing you to use a wide range of familiar SQL clients. Data load speed scales 
linearly with cluster size, with integrations to Amazon S3, Amazon DynamoDB, Amazon Elastic MapReduce, 

Amazon Kinesis or any SSH-enabled host. 

AWS recommends Amazon Redshift for customers who have a combination of needs, such as: High performance at scale as data and query complexity grows 
Desire to prevent reporting and analytic processing from interfering with the performance of OLTP workloads 

Large volumes of structured data to persist and query using standard SQL and existing BI tools Desire to the administrative burden of running one's own data 
warehouse and dealing with setup, durability, monitoring, scaling and patching 

Reference: https://aws.amazon.com/running_databases/#redshift_anchor 


NEW QUESTION 5 
After setting up a Virtual Private Cloud (VPC) network, a more experienced cloud engineer suggests that to achieve low network latency and high network 
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throughput you should look into setting up a placement group. You know nothing about this, but begin to do some research about it and are especially curious 
about its limitations. Which of the below statements is wrong in describing the limitations of a placement group? 


A. Although launching multiple instance types into a placement group is possible, this reduces the likelihood that the required capacity will be available for your 
launch to succeed. 

B. A placement group can span multiple Availability Zones. 

C. You can't move an existing instance into a placement group. 

D. A placement group can span peered VPCs 


Answer: B 


Explanation: A placement group is a logical grouping of instances within a single Availability Zone. Using placement groups enables applications to participate in 
a low-latency, 10 Gbps network. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. To 
provide the lowest latency, and the highest packet-per-second network performance for your placement group, choose an instance type that supports enhanced 
networking. 

Placement groups have the following limitations: 

The name you specify for a placement group a name must be unique within your AWS account. A placement group can't span multiple Availability Zones. 

Although launching multiple instance types into a placement group is possible, this reduces the likelihood that the required capacity will be available for your launch 
to succeed. We recommend using the same instance type for all instances in a placement group. 

You can't merge placement groups. Instead, you must terminate the instances in one placement group, and then relaunch those instances into the other placement 
group. 

A placement group can span peered VPCs; however, you will not get full-bisection bandwidth between instances in peered VPCs. For more information about VPC 
peering connections, see VPC Peering in the Amazon VPC User Guide. 

You can't move an existing instance into a placement group. You can create an AM from your existing instance, and then launch a new instance from the AMI into 
a placement group. 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups. html 


NEW QUESTION 6 
What is a placement group in Amazon EC2? 


A. It is a group of EC2 instances within a single Availability Zone. 

B. It the edge location of your web content. 

C. It is the AWS region where you run the EC2 instance of your web content. 
D. It is a group used to span multiple Availability Zone 


Answer: A 


Explanation: A placement group is a logical grouping of instances within a single Availability Zone. Reference: 
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html 


NEW QUESTION 7 
You are migrating an internal sewer on your DC to an EC2 instance with EBS volume. Your server disk usage is around 500GB so you just copied all your data to 
a 2TB disk to be used with AWS Import/Export. Where will the data be imported once it arrives at Amazon? 


A. to a 2TB EBS volume 

B. to an S3 bucket with 2 objects of 1TB 
C. to an 500GB EBS volume 

D. to an S3 bucket as a 2TB snapshot 


Answer: B 


Explanation: An import to Amazon EBS will have different results depending on whether the capacity of your storage device is less than or equal to 1 TB or 
greater than 1 TB. The maximum size of an Amazon EBS snapshot is 1 TB, so if the device image is larger than 1 TB, the image is chunked and stored on 
Amazon S3. The target location is determined based on the total capacity of the device, not the amount of data on the device. 

Reference: http://docs.aws.amazon.com/AWSImportExport/latest/DG/Concepts.html 


NEW QUESTION 8 

A client needs you to import some existing infrastructure from a dedicated hosting provider to AWS to try and save on the cost of running his current website. He 
also needs an automated process that manages backups, software patching, automatic failure detection, and recovery. You are aware that his existing set up 
currently uses an Oracle database. Which of the following AWS databases would be best for accomplishing this task? 


A. Amazon RDS 

B. Amazon Redshift 

C. Amazon SimpleDB 
D. Amazon ElastiCache 


Answer: A 
Explanation: Amazon RDS gives you access to the capabilities of a familiar MySQL, Oracle, SQL Server, or PostgreSQL database engine. This means that the 
code, applications, and tools you already use today with your existing databases can be used with Amazon RDS. Amazon RDS automatically patches the 


database software and backs up your database, storing the backups for a user-defined retention period and enabling point-in-time recovery. 
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html 


NEW QUESTION 9 
True orfalsez A VPC contains multiple subnets, where each subnet can span multiple Availability Zones. 
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A. This is true only if requested during the set-up of VPC. 
B. This is true. 

C. This is false. 

D. This is true only for US region 


Answer: C 


Explanation: A VPC can span several Availability Zones. In contrast, a subnet must reside within a single Availability Zone. 
Reference: https://aws.amazon.com/vpc/faqs/ 


NEW QUESTION 10 

Your manager has just given you access to multiple VPN connections that someone else has recently set up between all your company's offices. She needs you to 
make sure that the communication between the VPNs is secure. Which of the following services would be best for providing a low-cost hub-and-spoke model for 
primary or backup connectMty between these remote offices? 


A. Amazon CloudFront 

B. AWS Direct Connect 
C. AWS CloudHSM 

D. AWS VPN CloudHub 


Answer: D 


Explanation: If you have multiple VPN connections, you can provide secure communication between sites using the 

AWS VPN CloudHub. The VPN CloudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable for 
customers with multiple branch offices and existing Internet connections who would like to implement a convenient, potentially low-cost hub-and-spoke model for 
primary or backup connectMty between these remote offices. 

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPN_CloudHub.html 


NEW QUESTION 10 
Does Amazon DynamoDB support both increment and decrement atomic operations? 


A. Only increment, since decrement are inherently impossible with DynamoDB's data model. 
B. No, neither increment nor decrement operations. 
C. Yes, both increment and decrement operations. 
D. Only decrement, since increment are inherently impossible with DynamoDB's data mode 


Answer: C 


Explanation: Amazon DynamoDB supports increment and decrement atomic operations. 
Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/APISummary.html 


NEW QUESTION 11 
An organization has three separate AWS accounts, one each for development, testing, and production. The organization wants the testing team to have access to 
certain AWS resources in the production account. How can the organization achieve this? 


A. It is not possible to access resources of one account with another account. 

B. Create the IAM roles with cross account access. 

C. Create the IAM user in a test account, and allow it access to the production environment with the IAM policy. 
D. Create the IAM users with cross account acces 


Answer: B 


Explanation: An organization has multiple AWS accounts to isolate a development environment from a testing or production environment. At times the users from 
one account need to access resources in the other account, such as promoting an update from the development environment to the production environment. In 
this case the IAM role with cross account access will provide a solution. Cross account access lets one account share access to their resources with users in the 
other AWS accounts. 

Reference: http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf 


NEW QUESTION 16 
You are in the process of creating a Route 53 DNS failover to direct traffic to two EC2 zones. Obviously, if one fails, you would like Route 53 to direct traffic to the 
other region. Each region has an ELB with some instances being distributed. What is the best way for you to configure the Route 53 health check? 


A. Route 53 doesn't support ELB with an internal health check.You need to create your own Route 53 health check of the ELB 
B. Route 53 natively supports ELB with an internal health chec 

C. Turn "Evaluate target health” off and "Associate with Health Check" on and R53 will use the ELB's internal health check. 

D. Route 53 doesn't support ELB with an internal health chec 

E. You need to associate your resource record set for the ELB with your own health check 

F. Route 53 natively supports ELB with an internal health chec 

G. Turn "Evaluate target health" on and "Associate with Health Check" off and R53 will use the ELB's internal health check. 


Answer: D 


Explanation: With DNS Failover, Amazon Route 53 can help detect an outage of your website and redirect your end users to alternate locations where your 
application is operating properly. When you enable this feature, Route 53 uses health checks-regularly making Internet requests to your application’s endpoints 
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from multiple locations around the world-to determine whether each endpoint of your application is up or down. 

To enable DNS Failover for an ELB endpoint, create an Alias record pointing to the ELB and set the "Evaluate Target Health" parameter to true. Route 53 creates 
and manages the health checks for your ELB automatically. You do not need to create your own Route 53 health check of the ELB. You also do not need to 
associate your resource record set for the ELB with your own health check, because Route 53 automatically associates it with the health checks that Route 53 
manages on your behalf. The ELB health check will also inherit the health of your backend instances behind that ELB. 

Reference: 

http ://aws.amazon.com/about-aws/whats-new/20 13/05/30/amazon-route-53-adds-elb-integration-for-dns- faijover/ 


NEW QUESTION 19 
A user wants to use an EBS-backed Amazon EC2 instance for a temporary job. Based on the input data, the job is most likely to finish within a week. Which of the 
following steps should be followed to terminate the instance automatically once the job is finished? 


A. Configure the EC2 instance with a stop instance to terminate it. 

B. Configure the EC2 instance with ELB to terminate the instance when it remains idle. 

C. Configure the CloudWatch alarm on the instance that should perform the termination action once the instance is idle. 
D. Configure the Auto Scaling schedule actMty that terminates the instance after 7 day 


Answer: C 


Explanation: Auto Scaling can start and stop the instance at a pre-defined time. Here, the total running time is unknown. Thus, the user has to use the 
CloudWatch alarm, which monitors the CPU utilization. The user can create an alarm that is triggered when the average CPU utilization percentage has been 
lower than 10 percent 

for 24 hours, signaling that it is idle and no longer in use. When the utilization is below the threshold limit, it will terminate the instance as a part of the instance 
action. 

Reference: http://docs.aws.amazon.com/AmazonCloudWatch/|atest/Deve|operGuide/UsingAlarmActions.html 


NEW QUESTION 24 
Which of the following is true of Amazon EC2 security group? 


A. You can modify the outbound rules for EC2-Classic. 

B. You can modify the rules for a security group only if the security group controls the traffic for just one instance. 
C. You can modify the rules for a security group only when a new instance is created. 

D. You can modify the rules for a security group at any tim 


Answer: D 


Explanation: A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more 
security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security 
group at any time; the new rules are automatically applied to all instances that are associated with the security group. 

Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html 


NEW QUESTION 27 
You are setting up a VPC and you need to set up a public subnet within that VPC. Which following requirement must be met for this subnet to be considered a 
public subnet? 


A. Subnet's traffic is not routed to an internet gateway but has its traffic routed to a virtual private gateway. 
B. Subnet's traffic is routed to an internet gateway. 

C. Subnet's traffic is not routed to an internet gateway. 

D. None of these answers can be considered a public subne 


Answer: B 


Explanation: A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud. 
You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can configure your VPC: you can select its IP address range, create 
subnets, and configure route tables, network gateways, and security settings. 

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select. Use a public subnet for resources that must be 
connected to the internet, and a private subnet for resources that won't be connected to the Internet. 

If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet. 

If a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet. 

If a subnet doesn't have a route to the internet gateway, but has its traffic routed to a virtual private gateway, the subnet is known as a VPN-only subnet. 
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html 


NEW QUESTION 28 

You are checking the workload on some of your General Purpose (SSD) and Provisioned IOPS (SSD) volumes and it seems that the I/O latency is higher than you 
require. You should probably check the to make sure that your application is not trying to drive more IOPS than you have 

provisioned. 


A. Amount of IOPS that are available 

B. Acknowledgement from the storage subsystem 
C. Average queue length 

D. Time it takes for the I/O operation to complete 
Answer: C 


Explanation: In EBS workload demand plays an important role in getting the most out of your General Purpose (SSD) and Provisioned IOPS (SSD) volumes. In 
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order for your volumes to deliver the amount of IOPS that are available, they need to have enough I/O requests sent to them. There is a relationship between the 
demand on the volumes, the amount of IOPS that are available to them, and the latency of the request (the amount of time it takes for the I/O operation to 
complete). 

Latency is the true end-to-end client time of an I/O operation; in other words, when the client sends a IO, how long does it take to get an acknowledgement from 
the storage subsystem that the IO read or write is complete. 

If your I/O latency is higher than you require, check your average queue length to make sure that your application is not trying to drive more IOPS than you have 
provisioned. You can maintain high IOPS while keeping latency down by maintaining a low average queue length (which is achieved by provisioning more IOPS for 
your volume). 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-workload-demand.html 


NEW QUESTION 32 
Which of the below mentioned options is not available when an instance is launched by Auto Scaling with EC2 Classic? 


A. Public IP 
B. Elastic IP 
C. Private DNS 
D. Private IP 


Answer: B 


Explanation: Auto Scaling supports both EC2 classic and EC2-VPC. When an instance is launched as a part of EC2 classic, it will have the public IP and DNS as 
well as the private IP and DNS. 
Reference: http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/GettingStartedT utorial.html 


NEW QUESTION 35 
You are building infrastructure for a data warehousing solution and an extra request has come through that there will be a lot of business reporting queries running 
all the time and you are not sure if your current DB instance will be able to handle it. What would be the best solution for this? 


A. DB Parameter Groups 

B. Read Replicas 

C. Multi-AZ DB Instance deployment 
D. Database Snapshots 


Answer: B 


Explanation: Read Replicas make it easy to take advantage of MySQL’s built-in replication functionality to elastically scale out beyond the capacity constraints of 
a single DB Instance for read-heavy database workloads. There are a variety of scenarios where deploying one or more Read Replicas for a given source DB 
Instance may make sense. Common reasons for deploying a Read Replica include: 

Scaling beyond the compute or I/O capacity of a single DB Instance for read-heavy database workloads. This excess read traffic can be directed to one or more 
Read Replicas. 

Serving read traffic while the source DB Instance is unavailable. If your source DB Instance cannot take I/O requests (e.g. due to I/O suspension for backups or 
scheduled maintenance), you can direct read traffic to your Read Replica(s). For this use case, keep in mind that the data on the Read Replica may be "stale" 
since the source DB Instance is unavailable. 

Business reporting or data warehousing scenarios; you may want business reporting queries to run against a Read Replica, rather than your primary, production 
DB Instance. 

Reference: https://aws.amazon.com/rds/faqs/ 


NEW QUESTION 40 
Your EBS volumes do not seem to be performing as expected and your team leader has requested you look into improving their performance. Which of the 
following is not a true statement relating to the performance of your EBS volumes? 


A. Frequent snapshots provide a higher level of data durability and they will not degrade the performance of your application while the snapshot is in progress. 

B. General Purpose (SSD) and Provisioned IOPS (SSD) volumes have a throughput limit of 128 MB/s per volume. 

C. There is a relationship between the maximum performance of your EBS volumes, the amount of I/O you are drMng to them, and the amount of time it takes for 
each transaction to complete. 

D. There is a 5 to 50 percent reduction in IOPS when you first access each block of data on a newly created or restored EBS volume 


Answer: A 


Explanation: Several factors can affect the performance of Amazon EBS volumes, such as instance configuration, I/O characteristics, workload demand, and 
storage configuration. 

Frequent snapshots provide a higher level of data durability, but they may slightly degrade the 

performance of your application while the snapshot is in progress. This trade off becomes critical when you have data that changes rapidly. Whenever possible, 
plan for snapshots to occur during off-peak times in order to minimize workload impact. 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSPerformance.html 


NEW QUESTION 43 
In Amazon EC2 Container Service, are other container types supported? 


A. Yes, EC2 Container Service supports any container service you need. 

B. Yes, EC2 Container Service also supports Microsoft container service. 

C. No, Docker is the only container platform supported by EC2 Container Service presently. 
D. Yes, EC2 Container Service supports Microsoft container service and Openstac 


Answer: C 
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Explanation: In Amazon EC2 Container Service, Docker is the only container platform supported by EC2 Container Service presently. 
Reference: http://aws.amazon.com/ecs/faqs/ 


NEW QUESTION 45 

An organization has created an application which is hosted on the AWS ECz2 instance. The application stores images to S3 when the end user uploads to it. The 
organization does not want to store the AWS secure credentials required to access the S3 inside the instance. Which of the below mentioned options is a possible 
solution to avoid any security threat? 


A. Use the IAM based single sign between the AWS resources and the organization application. 
B. Use the IAM role and assign it to the instance. 

C. Since the application is hosted on EC2, it does not need credentials to access S3. 

D. Use the X.509 certificates instead of the access and the secret access key 

Answer: B 


Explanation: The AWS IAM role uses temporary security credentials to access AWS services. Once the role is assigned to an instance, it will not need any 
security credentials to be stored on the instance. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html 


NEW QUESTION 48 
Can resource record sets in a hosted zone have a different domain suffix (for example, www.blog. acme.com and www.acme.ca)? 


A. Yes, it can have for a maximum of three different TLDs. 


B. Yes 

C. Yes, it can have depending on the TLD. 
D. No 

Answer: D 


Explanation: The resource record sets contained in a hosted zone must share the same suffix. For example, the example.com hosted zone can contain resource 
record sets for www.example.com and wvvw.aws.example.com subdomains, but it cannot contain resource record sets for a www.example.ca subdomain. 
Reference: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/AboutHostedZones.html 


NEW QUESTION 49 
You are running PostgreSQL on Amazon RDS and it seems to be all running smoothly deployed in one availability zone. A database administrator asks you if DB 
instances running PostgreSQL support Multi-AZ deployments. What would be a correct response to this QUESTION ? 


A. Yes. 

B. Yes but only for small db instances. 

C. No. 

D. Yes but you need to request the service from AW 


Answer: A 


Explanation: Amazon RDS supports DB instances running several versions of PostgreSQL. Currently we support PostgreSQL versions 9.3.1, 9.3.2, and 9.3.3. 
You can create DB instances and DB snapshots, 

point-in-time restores and backups. 

DB instances running PostgreSQL support Multi-AZ deployments, Provisioned IOPS, and can be created inside a VPC. You can also use SSL to connect to a DB 
instance running PostgreSQL. 

You can use any standard SQL client application to run commands for the instance from your client computer. Such applications include pgAdmin, a popular Open 
Source administration and development tool for PostgreSQL, or psql, a command line utility that is part of a PostgreSQL installation. In order to deliver a managed 
service experience, Amazon RDS does not provide host access to DB instances, and it restricts access to certain system procedures and tables that require 
advanced prMleges. Amazon RDS supports access to databases on a DB instance using any standard SQL client application. Amazon RDS does not allow direct 
host access to a DB instance via Telnet or Secure Shell (SSH). 

Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html 


NEW QUESTION 54 
A user has launched 10 EC2 instances inside a placement group. Which of the below mentioned statements is true with respect to the placement group? 


A. All instances must be in the same AZ 

B. All instances can be across multiple regions 

C. The placement group cannot have more than 5 instances 
D. All instances must be in the same region 


Answer: A 
Explanation: A placement group is a logical grouping of EC2 instances within a single Availability Zone. Using placement groups enables applications to 
participate in a low-latency, 10 Gbps network. Placement groups are recommended for applications that benefit from low network latency, high network throughput 


or both. 
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html 


NEW QUESTION 57 
An organization has developed a mobile application which allows end users to capture a photo on their mobile device, and store it inside an application. The 
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application internally uploads the data to AWS S3. The organization wants each user to be able to directly upload data to S3 using their Google ID. How will the 
mobile app allow this? 


A. Use the AWS Web identity federation for mobile applications, and use it to generate temporary security credentials for each user. 
B. It is not possible to connect to AWS S3 with a Google ID. 

C. Create an IAM user every time a user registers with their Google ID and use IAM to upload files to S3. 

D. Create a bucket policy with a condition which allows everyone to upload if the login ID has a Google part to it. 


Answer: A 


Explanation: For Amazon Web Services, the Web identity federation allows you to create cloud-backed mobile apps that use public identity providers, such as 
login with Facebook, Google, or Amazon. It will create temporary security credentials for each user, which will be authenticated by the AWS services, such as S3. 
Reference: http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html 


NEW QUESTION 60 
An online gaming site asked you if you can deploy a database that is a fast, highly scalable NoSQL database service in AWS for a new site that he wants to build. 
Which database should you recommend? 


A. Amazon DynamoDB 
B. Amazon RDS 

C. Amazon Redshift 

D. Amazon SimpleDB 


Answer: A 


Explanation: Amazon DynamoDB is ideal for database applications that require very low latency and predictable performance at any scale but don’t need 
complex querying capabilities like joins or transactions. Amazon DynamoDB is a fully-managed NoSQL database service that offers high performance, predictable 
throughput and low cost. It is easy to set up, operate, and scale. 

With Amazon DynamoDB, you can start small, specify the throughput and storage you need, and easily scale your capacity requirements on the fly. Amazon 
DynamoDB automatically partitions data over a number of servers to meet your request capacity. In addition, DynamoDB automatically replicates your data 
synchronously across multiple Availability Zones within an AWS Region to ensure high-availability and data durability. 

Reference: https://aws.amazon.com/running_databases/#dynamodb_ anchor 


NEW QUESTION 65 

You have been doing a lot of testing of your VPC Network by deliberately failing EC2 instances to test whether instances are failing over properly. Your customer 
who will be paying the AWS bill for all this asks you if he being charged for all these instances. You try to explain to him how the billing works on EC2 instances to 
the best of your knowledge. What would be an appropriate response to give to the customer 

in regards to this? 


A. Billing commences when Amazon EC2 AM instance is completely up and billing ends as soon as the instance starts to shutdown. 

B. Billing only commences only after 1 hour of uptime and billing ends when the instance terminates. 

C. Billing commences when Amazon EC2 initiates the boot sequence of an AM instance and billing ends when the instance shuts down. 

D. Billing commences when Amazon EC2 initiates the boot sequence of an AM instance and billing ends as soon as the instance starts to shutdown. 


Answer: C 


Explanation: Billing commences when Amazon EC2 initiates the boot sequence of an AM instance. Billing ends when the instance shuts down, which could occur 
through a web services command, by running "shutdown -h", or through instance failure. 
Reference: http://aws.amazon.com/ec2/faqs/#Billing 


NEW QUESTION 69 
Your company has been storing a lot of data in Amazon Glacier and has asked for an inventory of what is in there exactly. So you have decided that you need to 
download a vault inventory. Which of the following statements is incorrect in relation to Vault Operations in Amazon Glacier? 


A. You can use Amazon Simple Notification Service (Amazon SNS) notifications to notify you when the job completes. 
B. A vault inventory refers to the list of archives in a vault. 

C. You can use Amazon Simple Queue Service (Amazon SQS) notifications to notify you when the job completes. 

D. Downloading a vault inventory is an asynchronous operatio 


Answer: C 


Explanation: Amazon Glacier supports various vault operations. 

A vault inventory refers to the list of archives in a vault. For each archive in the list, the inventory provides archive information such as archive ID, creation date, 
and size. Amazon Glacier updates the vault inventory approximately once a day, starting on the day the first archive is uploaded to the vault. A vault inventory 
must exist for you to be able to download it. 

Downloading a vault inventory is an asynchronous operation. You must first initiate a job to download the inventory. After receMng the job request, Amazon Glacier 
prepares your inventory for download. After the job completes, you can download the inventory data. 

Given the asynchronous nature of the job, you can use Amazon Simple Notification Service (Amazon SNS) notifications to notify you when the job completes. You 
can specify an Amazon SNS topic for each indMdual job request or configure your vault to send a notification when specific vault events occur. Amazon Glacier 
prepares an inventory for each vault periodically, every 24 hours. If there have been no archive additions or deletions to the vault since the last inventory, the 
inventory date is not updated. When you initiate a job for a vault inventory, Amazon Glacier returns the last inventory it generated, which is a point-in-time snapshot 
and not real-time data. You might not find it useful to retrieve vault inventory for each archive upload. However, suppose you maintain a database on the client-side 
associating metadata about the archives you upload to Amazon Glacier. Then, you might find the vault inventory useful to reconcile information in your database 
with the actual vault inventory. 

Reference: http://docs.aws.amazon.com/amazonglacier/latest/dev/working-with-vaults.html 
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NEW QUESTION 71 
A customer enquires about whether all his data is secure on AWS and is especially concerned about Elastic Map Reduce (EMR) so you need to inform him of 
some of the security features in place for AWS. Which of the below statements would be an incorrect response to your customers enquiry? 


A. Amazon ENIR customers can choose to send data to Amazon S3 using the HTTPS protocol for secure transmission. 
B. Amazon S3 provides authentication mechanisms to ensure that stored data is secured against unauthorized access. 
C. Every packet sent in the AWS network uses Internet Protocol Security (IPsec). 

D. Customers may encrypt the input data before they upload it to Amazon S3. 


Answer: C 


Explanation: Amazon S3 provides authentication mechanisms to ensure that stored data is secured against unauthorized access. Unless the customer who is 
uploading the data specifies otherwise, only that customer can access the data. Amazon EMR customers can also choose to send data to Amazon S3 

using the HTTPS protocol for secure transmission. In addition, Amazon EMR always uses HTTPS to send data between Amazon S3 and Amazon EC2. For added 
security, customers may encrypt the input data before they upload it to Amazon S3 (using any common data compression tool); they then need to add a decryption 
step to the beginning of their cluster wnen Amazon EMR fetches the data from Amazon S3. Reference: https://aws.amazon.com/elasticmapreduce/faqs/ 


NEW QUESTION 76 
You are in the process of building an online gaming site for a client and one of the requirements is that it must be able to process vast amounts of data easily. 
Which AWS Service would be very helpful in processing all this data? 


A. Amazon S3 

B. AWS Data Pipeline 
C. AWS Direct Connect 
D. Amazon EMR 


Answer: D 


Explanation: Managing and analyzing high data volumes produced by online games platforms can be difficult. The back-end infrastructures of online games can 
be challenging to maintain and operate. Peak usage periods, multiple players, and high volumes of write operations are some of the most common problems that 
operations teams face. 

Amazon Elastic MapReduce (Amazon EMR) is a service that processes vast amounts of data easily. Input data can be retrieved from web server logs stored on 
Amazon S3 or from player data stored in Amazon DynamoDB tables to run analytics on player behavior, usage patterns, etc. Those results can be stored again on 
Amazon S3, or inserted in a relational database for further analysis with classic business intelligence tools. 

Reference: http://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_games_10.pdf 


NEW QUESTION 80 
What would be the best way to retrieve the public IP address of your EC2 instance using the CLI? 


A. Using tags 

B. Using traceroute 

C. Using ipconfig 

D. Using instance metadata 


Answer: D 


Explanation: To determine your instance's public IP address from within the instance, you can use instance metadata. Use the following command to access the 
public IP address: For Linux use, $ curl 

http://169.254.169.254/latest/meta-data/public-ipv4, and for Windows use, $ wget http://169.254.169.254/latest/meta-data/public-ipv4. 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.htm| 


NEW QUESTION 83 
You need to measure the performance of your EBS volumes as they seem to be under performing. You have come up with a measurement of 1,024 KB I/O but 
your colleague tells you that EBS volume performance is measured in IOPS. How many IOPS is equal to 1,024 KB I/O? 


A. 16 
B. 256 
C.8 
D. 4 


Answer: D 


Explanation: Several factors can affect the performance of Amazon EBS volumes, such as instance configuration, I/O characteristics, workload demand, and 
storage configuration. 

IOPS are input/output operations per second. Amazon EBS measures each I/O operation per second 

(that is 256 KB or smaller) as one IOPS. I/O operations that are larger than 256 KB are counted in 256 KB capacity units. 

For example, a 1,024 KB I/O operation would count as 4 IOPS. 

When you provision a 4,000 IOPS volume and attach it to an EBS-optimized instance that can provide the necessary bandwidth, you can transfer up to 4,000 
chunks of data per second (provided that the I/O does not exceed the 128 MB/s per volume throughput limit of General Purpose (SSD) and Provisioned IOPS 
(SSD) volumes). 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSPerformance.html 


NEW QUESTION 88 
Having set up a website to automatically be redirected to a backup website if it fails, you realize that there are different types of failovers that are possible. You 
need all your resources to be available the majority of the time. Using Amazon Route 53 which configuration would best suit this requirement? 
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A. Active-active failover. 

B. Non 

C. Route 53 can't failover. 

D. Active-passive failover. 

E. Active-active-passive and other mixed configuration 


Answer: A 


Explanation: You can set up a variety of failover configurations using Amazon Route 53 alias: weighted, latency, geolocation routing, and failover resource record 
sets. 

Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes 
unavailable, Amazon Route 53 can detect that it's unhealthy and stop including it when responding to queries. 

Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a 
secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes 
only the healthy primary resources. If all of the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in 
response to DNS queries. 

Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 
behaviors. 

Reference: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html 


NEW QUESTION 93 

AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those 
resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon 
EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you. What formatting is 
required for this template? 


A. JSON-formatted document 
B. CSS-formatted document 
C. XML-formatted document 
D. HTML-formatted document 


Answer: A 


Explanation: You can write an AWS CloudFormation template (a JSON-formatted document) in a text editor or pick an existing template. The template describes 
the resources you want and their settings. For example, 
suppose you want to create an Amazon EC2. Your template can declare an instance Amazon EC2 and describe its properties, as shown in the following example: 


{ 

"AWSTemp|ateFormatVersion" : "2010-09-09", 

"Description" : "A simple Amazon EC2 instance", "Resources" : { 
"MyEC2Instance" : { 

"Type" : "AWS::EC2::Instance", "Properties" : { 

"Image|d" : "ami-2f726546", "|nstanceType” : "t1.micro" 

} 

} 

} 

} 


Reference: 
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-howdoesitwork. html 


NEW QUESTION 98 
You decide that you need to create a number of Auto Scaling groups to try and save some money as you have noticed that at certain times most of your EC2 
instances are not being used. By default, what is the maximum number of Auto Scaling groups that AWS will allow you to create? 


A. 12 

B. Unlimited 
C. 20 

D.2 


Answer: C 


Explanation: Auto Scaling is an AWS service that allows you to increase or decrease the number of EC2 instances within your application's architecture. With 
Auto Scaling, you create collections of EC2 instances, called Auto Scaling groups. You can create these groups from scratch, or from existing EC2 instances that 
are already in production. 

Reference: http://docs.aws.amazon.com/general/latest/gr/aws_service_|imits.htm|#limits_autoscaling 


NEW QUESTION 103 

A user needs to run a batch process which runs for 10 minutes. This will only be run once, or at maximum twice, in the next month, so the processes will be 
temporary only. The process needs 15 X-Large instances. The process downloads the code from S3 on each instance when it is launched, and then generates a 
temporary log file. Once the instance is terminated, all the data will be lost. Which of the below mentioned pricing models should the user choose in this case? 


A. Spot instance. 

B. Reserved instance. 

C. On-demand instance. 
D. EBS optimized instanc 


Answer: A 


Passing Certification Exams Made Easy visit - httos:/www.2PassEasy.com 


" ASSeQSL Welcome to download the Newest 2passeasy AWS-Solution-Architect-Associate dumps 
-< P J https://www.2passeasy.com/dumps/AWS-Solution-Architect-Associate/ (672 New Questions) 


Explanation: In Amazon Web Services, the spot instance is useful when the user wants to run a process temporarily. The spot instance can terminate the 
instance if the other user outbids the existing bid. In this case all storage is temporary and the data is not required to be persistent. Thus, the spot instance is a 
good option to save money. 

Reference: http://aws.amazon.com/ec2/purchasing-options/spot-instances/ 


NEW QUESTION 108 
Which of the following is NOT a characteristic of Amazon Elastic Compute Cloud (Amazon EC2)? 


A. It can be used to launch as many or as few virtual servers as you need. 

B. It increases the need to forecast traffic by providing dynamic IP addresses for static cloud computing. 

C. It eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. 
D. It offers scalable computing capacity in the Amazon Web Services (AWS) clou 


Answer: B 


Explanation: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon 
EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as 
few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you 

to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic. 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts. html 


NEW QUESTION 109 
You have been storing massive amounts of data on Amazon Glacier for the past 2 years and now start to wonder if there are any limitations on this. What is the 
correct answer to your QUESTION ? 


A. The total volume of data is limited but the number of archives you can store are unlimited. 
B. The total volume of data is unlimited but the number of archives you can store are limited. 
C. The total volume of data and number of archives you can store are unlimited. 

D. The total volume of data is limited and the number of archives you can store are limite 


Answer: C 


Explanation: An archive is a durably stored block of information. You store your data in Amazon Glacier as archives. You may upload a single file as an archive, 
but your costs will be lower if you aggregate your data. TAR and ZIP are common formats that customers use to aggregate multiple files into a single file before 
uploading to Amazon Glacier. 

The total volume of data and number of archives you can store are unlimited. IndMdual Amazon Glacier archives can range in size from 1 byte to 40 terabytes. 
The largest archive that can be uploaded in a single upload request is 4 gigabytes. 

For items larger than 100 megabytes, customers should consider using the Multipart upload capability. Archives stored in Amazon Glacier are immutable, i.e. 
archives can be uploaded and deleted but cannot be edited or overwritten. 

Reference: https://aws.amazon.com/glacier/faqs/ 


NEW QUESTION 113 
A user has configured ELB with two EBS backed EC2 instances. The user is trying to understand the DNS access and IP support for ELB. Which of the below 
mentioned statements may not help the user understand the IP mechanism supported by ELB? 


A. The client can connect over IPV4 or IPV6 using Dualstack 

B. Communication between the load balancer and back-end instances is always through IPV4 
C. ELB DNS supports both IPV4 and IPV6 

D. The ELB supports either IPV4 or IPV6 but not both 


Answer: D 


Explanation: Elastic Load Balancing supports both Internet Protocol version 6 (IPv6) and Internet Protocol version 4 (IPv4). Clients can connect to the user’s load 
balancer using either IPv4 or IPv6 (in EC2-Classic) DNS. However, communication between the load balancer and its back-end instances uses only IPv4. The 
user can use the Dualstack-prefixed DNS name to enable IPv6 support for communications between the client and the load balancers. Thus, the clients are able to 
access the load balancer using either IPv4 or IPv6 as their indMdual connectMty needs dictate. 

Reference: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/UserScenariosForEC2.html 


NEW QUESTION 114 
Does AWS CloudFormation support Amazon EC2 tagging? 


A. Yes, AWS CloudFormation supports Amazon EC2 tagging 

B. No, CloudFormation doesn’t support any tagging 

C. No, it doesn’t support Amazon EC2 tagging. 

D. It depends if the Amazon EC2 tagging has been defined in the templat 


Answer: A 
Explanation: In AWS CloudFormation, Amazon EC2 resources that support the tagging feature can also be tagged in an AWS template. The tag values can refer 
to template parameters, other resource names, resource attribute values (e.g. addresses), or values computed by simple functions (e.g., a concatenated list of 


strings). 
Reference: http://aws.amazon.com/c|oudformation/faqs/ 
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NEW QUESTION 116 

An existing client comes to you and says that he has heard that launching instances into a VPC (virtual private cloud) is a better strategy than launching instances 
into a EC2-classic which he knows is what you currently do. You suspect that he is correct and he has asked you to do some research about this and get back to 
him. Which of the following statements is true in regards to what ability launching your instances into a VPC instead of EC2-Classic gives you? 


A. All of the things listed here. 

B. Change security group membership for your instances while they're running 

C. Assign static private IP addresses to your instances that persist across starts and stops 
D. Define network interfaces, and attach one or more network interfaces to your instances 


Answer: A 


Explanation: By launching your instances into a VPC instead of EC2-Classic, you gain the ability to: Assign static private IP addresses to your instances that 
persist across starts and stops Assign multiple IP addresses to your instances 

Define network interfaces, and attach one or more network interfaces to your instances Change security group membership for your instances while they're 
running 

Control the outbound traffic from your instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering) 

Add an additional layer of access control to your instances in the form of network access control lists (ACL) 

Run your instances on single-tenant hardware 

Reference: http://media.amazonwebservices.com/AWS_Cloud_Best_Practices.padf 


NEW QUESTION 118 
Amazon S3 allows you to set per-file permissions to grant read and/or write access. However you have decided that you want an entire bucket with 100 files 
already in it to be accessible to the public. You don't want to go through 100 files indMdually and set permissions. What would be the best way to do this? 


A. Move the bucket to a new region 
B. Add a bucket policy to the bucket. 
C. Move the files to a new bucket. 
D. Use Amazon EBS instead of S3 


Answer: B 


Explanation: Amazon S3 supports several mechanisms that give you filexibility to control who can access your data as well as how, when, and where they can 
access it. Amazon S3 provides four different access control mechanisms: AWS Identity and Access Management (IAM) policies, Access Control Lists (ACLs), 
bucket policies, and query string authentication. IAM enables organizations to create and manage multiple users under a single AWS account. With IAM policies, 
you can grant IAM users fine-grained control to your Amazon S3 bucket or objects. You can use ACLs to selectively add (grant) certain permissions on indMdual 
objects. 

Amazon S3 bucket policies can be used to add or deny permissions across some or all of the objects within a single bucket. 

With Query string authentication, you have the ability to share Amazon S3 objects through URLs that are 

valid for a specified period of time. 

Reference: http://aws.amazon.com/s3/detai|s/#security 


NEW QUESTION 121 
You need to set up a high level of security for an Amazon Relational Database Service (RDS) you have just built in order to protect the confidential information 
stored in it. What are all the possible security groups that RDS uses? 


A. DB security groups, VPC security groups, and EC2 security groups. 
B. DB security groups only. 

C. EC2 security groups only. 

D. VPC security groups, and EC2 security group 


Answer: A 


Explanation: A security group controls the access to a DB instance. It does so by allowing access to IP address ranges or Amazon EC2 instances that you 
specify. 

Amazon RDS uses DB security groups, VPC security groups, and EC2 security groups. In simple terms, a DB security group controls access to a DB instance that 
is not in a VPC, a VPC security group controls access to a DB instance inside a VPC, and an Amazon EC2 security group controls access to an EC2 instance and 
can be used with a DB instance. 

Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html 


NEW QUESTION 125 

You have been using T2 instances as your CPU requirements have not been that intensive. However you now start to think about larger instance types and start 
looking at M and IV|3 instances. You are a little confused as to the differences between them as they both seem to have the same ratio of CPU and memory. 
Which statement below is incorrect as to why you would use one over the other? 


A. M3 instances are less expensive than M1 instances. 

B. IV|3 instances are configured with more swap memory than M instances. 

C. IV|3 instances provide better, more consistent performance that M instances for most use-cases. 
D. M3 instances also offer SSD-based instance storage that delivers higher I/O performanc 


Answer: B 


Explanation: Amazon EC2 allows you to set up and configure everything about your instances from your operating system up to your applications. An Amazon 
Nlachine Image (AMI) is simply a packaged-up environment that includes all the necessary bits to set up and boot your instance. 

M1 and M3 Standard instances have the same ratio of CPU and memory, some reasons below as to why you would use one over the other. 

IV|3 instances provide better, more consistent performance that M instances for most use-cases. M3 instances also offer SSD-based instance storage that delivers 
higher I/O performance. 
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M3 instances are also less expensive than M1 instances. Due to these reasons, we recommend M3 for applications that require general purpose instances with a 
balance of compute, memory, and network resources. 

However, if you need more disk storage than what is provided in M3 instances, you may still find M1 instances useful for running your applications. 

Reference: https://aws.amazon.com/ec2/faqs/ 


NEW QUESTION 128 

You have set up an Elastic Load Balancer (ELB) with the usual default settings, which route each request independently to the application instance with the 
smallest load. However, someone has asked you to bind a user's session to a specific application instance so as to ensure that all requests coming from the user 
during the session will be sent to the same application instance. AWS has a feature to do this. What is it called? 


A. Connection draining 
B. Proxy protocol 

C. Tagging 

D. Sticky session 


Answer: D 


Explanation: An Elastic Load Balancer(ELB) by default, routes each request independently to the application instance 

with the smallest load. However, you can use the sticky session feature (also known as session affinity), which enables the load balancer to bind a user's session 
to a specific application instance. This ensures that all requests coming from the user during the session will be sent to the same application instance. The key to 
managing the sticky session is determining how long your load balancer should consistently route the user's request to the same application instance. If your 
application has its own session cookie, then you can set Elastic Load Balancing to create the session cookie to follow the duration specified by the application's 
session cookie. If your application does not have its own session cookie, then you can set Elastic Load Balancing to create a session cookie by specifying your 
own stickiness duration. You can associate stickiness duration for only HTTP/HTTPS load balancer listeners. 

An application instance must always receive and send two cookies: A cookie that defines the stickiness duration and a special Elastic Load Balancing cookie 
named AWSELB, that has the mapping to the application instance. 

Reference: http://docs.aws.amazon.com/E|asticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts. html#session-stickiness 


NEW QUESTION 133 

A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the 
DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this 
scenario? 


A. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB 
B. The user should attach an IAM role with DynamoDB access to the EC2 instance 

C. The user should create an IAM role, which has EC2 access so that it will allow deploying the application 

D. The user should create an IAM user with DynamoDB and EC2 acces 

E. Attach the user with the application so that it does not use the root account credentials 


Answer: B 


Explanation: With AWS IAM a user is creating an application which runs on an EC2 instance and makes requests to 

AWS, such as DynamoDB or S3 calls. Here it is recommended that the user should not create an IAM user and pass the user's credentials to the application or 
embed those credentials inside the application. Instead, the user should use roles for EC2 and give that role access to DynamoDB /S3. When the roles are 
attached to EC2, it will give temporary security credentials to the application hosted on that EC2, to connect with DynamoDB / S3. 

Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html 


NEW QUESTION 138 
After setting up several database instances in Amazon Relational Database Service (Amazon RDS) you decide that you need to track the performance and health 
of your databases. How can you do this? 


A. Subscribe to Amazon RDS events to be notified when changes occur with a DB instance, DB snapshot, DB parameter group, or DB security group. 
B. Use the free Amazon CloudWatch service to monitor the performance and health of a DB instance. 

C. All of the items listed will track the performance and health of a database. 

D. View, download, or watch database log files using the Amazon RDS console or Amazon RDS API 

E. You can also query some database log files that are loaded into database tables. 


Answer: C 


Explanation: Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the 
cloud. It provides cost-efficient, resizeable capacity for an industry-standard relational database and manages common database administration tasks. 

There are several ways you can track the performance and health of a database or a DB instance. You can: 

Use the free Amazon CloudWatch service to monitor the performance and health of a DB instance. Subscribe to Amazon RDS events to be notified when changes 
occur with a DB instance, DB snapshot, DB parameter group, or DB security group. 

View, download, or watch database log files using the Amazon RDS console or Amazon RDS APIs. You can also query some database log files that are loaded 
into database tables. 

Use the AWS CloudTrail service to record AWS calls made by your AWS account. The calls are recorded in log files and stored in an Amazon S3 bucket. 
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Monitoring.html 


NEW QUESTION 140 
A user is aware that a huge download is occurring on his instance. He has already set the Auto Scaling policy to increase the instance count when the network I/O 
increases beyond a certain limit. How can the user ensure that this temporary event does not result in scaling? 


A. The network I/O are not affected during data download 
B. The policy cannot be set on the network I/O 
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C. There is no way the user can stop scaling as it is already configured 
D. Suspend scaling 


Answer: D 


Explanation: The user may want to stop the automated scaling processes on the Auto Scaling groups either to perform manual operations or during emergency 
situations. To perform this, the user can suspend one or more scaling processes at any time. Once it is completed, the user can resume all the suspended 
processes. Reference:http://docs.aws.amazon.com/AutoScaling/latest/Deve|operGuide/AS_Concepts.html 


NEW QUESTION 142 

An accountant asks you to design a small VPC network for him and, due to the nature of his business, just needs something where the workload on the network 
will be low, and dynamic data will be accessed infrequently. Being an accountant, low cost is also a major factor. Which EBS volume type would best suit his 
requirements? 


A. Magnetic 

B. Any, as they all perform the same and cost the same. 
C. General Purpose (SSD) 

D. Magnetic or Provisioned IOPS (SSD) 


Answer: A 


Explanation: You can choose between three EBS volume types to best meet the needs of their workloads: General Purpose (SSD), Provisioned IOPS (SSD), and 
Magnetic. General Purpose (SSD) is the new, SSD-backed, general purpose EBS volume type that we recommend as the default choice for customers. General 
Purpose (SSD) volumes are suitable for a broad range of workloads, including small to medium sized databases, development and test environments, and boot 
volumes. Provisioned IOPS (SSD) volumes offer storage with consistent and low-latency performance, and are designed for I/O intensive applications such as 
large relational or NoSQL databases. Magnetic volumes provide the lowest cost per gigabyte of all EBS volume types. Magnetic volumes are ideal for workloads 
where data is accessed infrequently, and applications where the lowest storage cost is important. 

Reference: https://aws.amazon.com/ec2/faqs/ 


NEW QUESTION 144 
A user is planning to launch a scalable web application. Which of the below mentioned options will not affect the latency of the application? 


A. Region. 

B. Provisioned IOPS. 
C. Availability Zone. 
D. Instance siz 


Answer: C 


Explanation: In AWS, the instance size decides the I/O characteristics. The provisioned IOPS ensures higher throughput, and lower latency. The region does 
affect the latency; latency will always be less when the instance is near to the end user. Within a region the user uses any AZ and this does not affect the latency. 
The AZ is mainly for fault toleration or HA. 

Reference: http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf 


NEW QUESTION 145 
Which of the following strategies can be used to control access to your Amazon EC2 instances? 


A. DB security groups 
B. IAM policies 

C. None of these 

D. EC2 security groups 


Answer: D 


Explanation: IAM policies allow you to specify what actions your IAM users are allowed to perform against your EC2 Instances. However, when it comes to 
access control, security groups are what you need in order to define and control the way you want your instances to be accessed, and whether or not certain kind 
of communications are allowed or not. 

Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/UsinglAM.htm| 


NEW QUESTION 148 
A user has launched one EC2 instance in the US East region and one in the US West region. The user has launched an RDS instance in the US East region. How 
can the user configure access from both the EC2 instances to RDS? 


A. It is not possible to access RDS of the US East region from the US West region 

B. Configure the US West region’s security group to allow a request from the US East region’s instance and configure the RDS security group’s ingress rule for 
the US East EC2 group 

C. Configure the security group of the US East region to allow traffic from the US West region’s instance and configure the RDS security group’s ingress rule for 
the US East EC2 group 

D. Configure the security group of both instances in the ingress rule of the RDS security group 


Answer: C 


Explanation: The user cannot authorize an Amazon EC2 security group if it is in a different AWS Region than the RDS 
DB instance. The user can authorize an IP range or specify an Amazon EC2 security group in the same region that refers to an IP address in another region. In 
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this case allow IP of US West inside US East’s security group and open the RDS security group for US East region. 
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html 


NEW QUESTION 151 
In Amazon EC2, if your EBS volume stays in the detaching state, you can force the detachment by clicking . 


A. Force Detach 

B. Detach Instance 
C. AttachVolume 
D. AttachInstance 


Answer: A 


Explanation: If your volume stays in the detaching state, you can force the detachment by clicking Force Detach. Reference: 
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html 


NEW QUESTION 154 
You have just set up a large site for a client which involved a huge database which you set up with Amazon RDS to run as a Mu|ti-AZ deployment. You now start to 
worry about what will happen if the database instance fails. Which statement best describes how this database will function if there is a database failure? 


A. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest 
database updates against DB Instance failure. 

B. Your database will not resume operation without manual administrative intervention. 

C. Updates to your DB Instance are asynchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest 
database updates against DB Instance failure. 

D. Updates to your DB Instance are synchronously replicated across S3 to the standby in order to keep both in sync and protect your latest database updates 
against DB Instance failure. 


Answer: A 


Explanation: Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in 
the cloud. It provides cost-efficient and resizable capacity, while managing time-consuming database administration tasks, freeing you up to focus on your 
applications and business. 

When you create or modify your DB Instance to run as a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous "standby" 
replica in a different Availability Zone. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in 
sync and protect your latest database updates against DB Instance failure. 

During certain types of planned maintenance, or in the unlikely event of DB Instance failure or Availability Zone failure, Amazon RDS will automatically failover to 
the standby so that you can resume database writes and reads as soon as the standby is promoted. Since the name record for your DB Instance 

remains the same, you application can resume database operation without the need for manual administrative intervention. With Mu|ti-AZ deployments, replication 
is transparent: you do not interact directly with the standby, and it cannot be used to serve read traffic. If you are using Amazon RDS for MySQL and are looking to 
scale read traffic beyond the capacity constraints of a single DB Instance, you can deploy one or more Read Replicas. 

Reference: http://aws.amazon.com/rds/faqs/ 


NEW QUESTION 157 
You have a number of image files to encode. In an Amazon SQS worker queue, you create an Amazon SQS message for each file specifying the command (jpeg- 
encode) and the location of the file in Amazon S3. Which of the following statements best describes the functionality of Amazon SQS? 


A. Amazon SGS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receMng speeds. 
B. Amazon SQS is for single-threaded sending or receMng speeds. 

C. Amazon SQS$ is a non-distributed queuing system. 

D. Amazon SQS$ is a distributed queuing system that is optimized for vertical scalability and for single-threaded sending or receMng speeds. 


Answer: A 


Explanation: Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for 

single-threaded sending or receMng speeds. A single client can send or receive Amazon SQS messages at a rate of about 5 to 50 messages per second. Higher 
receive performance can be achieved by requesting multiple messages (up to 10) in a single call. It may take several seconds before a message that has been to 
a queue is available to be received. 

Reference: http://media.amazonwebservices.com/AWS_Storage_Options.pdf 


NEW QUESTION 161 
A user is observing the EC2 CPU utilization metric on CloudWatch. The user has observed some interesting patterns while filtering over the 1 week period for a 
particular hour. The user wants to zoom that data point to a more granular period. How can the user do that easily with CloudWatch? 


A. The user can zoom a particular period by selecting that period with the mouse and then releasing the mouse 
B. The user can zoom a particular period by specifying the aggregation data for that period 

C. The user can zoom a particular period by double clicking on that period with the mouse 

D. The user can zoom a particular period by specifying the period in the Time Range 


Answer: A 
Explanation: Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier 
for the user to analyse. The AWS CloudWatch console provides the option to change the granularity of a graph and zoom in to see data over a shorter time period. 


To zoom, the user has to click in the graph details pane, drag on the graph area for selection, and then release the mouse button. 
Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/Deve|operGuide/zoom_in_on_graph.html 
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NEW QUESTION 166 
The common use cases for DynamoDB Fine-Grained Access Control (FGAC) are cases in which the end user wants . 


A. to change the hash keys of the table directly 

B. to check if an IAM policy requires the hash keys of the tables directly 

C. to read or modify any codecommit key of the table directly, without a middle-tier service 
D. to read or modify the table directly, without a middle-tier service 


Answer: D 


Explanation: FGAC can benefit any application that tracks information in a DynamoDB table, where the end user (or application client acting on behalf of an end 
user) wants to read or modify the table directly, without a middle-tier service. For instance, a developer of a mobile app named Acme can use FGAC to track the 
top score of every Acme user in a DynamoDB table. FGAC allows the application client to modify only the top score for the user that is currently running the 
application. 

Reference: http://aws.amazon.com/dynamodb/faqs/#security_anchor 


NEW QUESTION 168 

You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: security 
groups and network access control lists (ACLs). You have already looked into security groups and you are now trying to understand ACLs. Which statement below 
is incorrect in relation to ACLs? 


A. Supports allow rules and deny rules. 

B. Is stateful: Return traffic is automatically allowed, regardless of any rules. 
C. Processes rules in number order when deciding whether to allow traffic. 
D. Operates at the subnet level (second layer of defense). 


Answer: B 


Explanation: Amazon VPC provides two features that you can use to increase security for your VPC: 

Security groups—Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level 

Network access control lists (ACLs)—Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level 

Security groups are stateful: (Return traffic is automatically allowed, regardless of any rules) Network ACLs are stateless: (Return traffic must be explicitly allowed 
by rules) 

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html 


NEW QUESTION 169 
You need to create an Amazon Machine Image (AM) for a customer for an application which does not appear to be part of the standard AWS AM template that you 
can see in the AWS console. What are the alternative possibilities for creating an AM on AWS? 


A. You can purchase an AMs from a third party but cannot create your own AM. 
B. You can purchase an AMls from a third party or can create your own AMI. 

C. Only AWS can create AMIs and you need to wait till it becomes available. 

D. Only AWS can create AMIs and you need to request them to create one for yo 


Answer: B 


Explanation: You can purchase an AMls from a third party, including AMIs that come with service contracts from organizations such as Red Hat. You can also 
create an AMI and sell it to other Amazon EC2 users. After you create an AMI, you can keep it private so that only you can use it, or you can share it with a 
specified list of AWS accounts. You can also make your custom AMI public so that the community can 

use it. Building a safe, secure, usable AMI for public consumption is a fairly straightforward process, if you follow a few simple guidelines. 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.htm| 


NEW QUESTION 173 
While creating an Amazon RDS DB, your first task is to set up a DB that controls which IP address or EC2 instance can access your DB Instance. 


A. security token pool 
B. security token 

C. security pool 

D. security group 


Answer: D 
Explanation: While creating an Amazon RDS DB, your first task is to set up a DB Security Group that controls what IP addresses or EC2 instances have access 


to your DB Instance. 
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html 


NEW QUESTION 175 
You are very concerned about security on your network because you have multiple programmers testing APIs and SDKs and you have no idea what is happening. 
You think C|oudTrai| may help but are not sure what it does. Which of the following statements best describes the AWS service CloudTrail? 


A. With AWS CloudTrail you can get a history of AWS API calls and related events for your account. 
B. With AWS CloudTrail you can get a history of IAM users for your account. 
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C. With AWS CloudTrail you can get a history of S3 logfiles for your account. 
D. With AWS CloudTrail you can get a history of CloudFormation JSON scripts used for your accoun 


Answer: A 


Explanation: With AWS CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS IV|anagement Console, the 
AWS SDks, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support 
CloudTrail, the source IP address the calls were made from, and when the calls occurred. 

You can identify which users and accounts called AWS for services that support CloudTrail, the source IP address the calls were made from, and when the calls 
occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how 
administrators turn CloudTrail logging on and off. 

Reference: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html 


NEW QUESTION 178 

You are configuring a new VPC for one of your clients for a cloud migration project, and only a public VPN will be in place. After you created your VPC, you 
created a new subnet, a new internet gateway, and attached your internet gateway to your VPC. When you launched your first instance into your VPC, you 
realized that you aren't able to connect to the instance, even if it is configured with an elastic IP. What should be done to access the instance? 


A. A route should be created as 0.0.0.0/0 and your internet gateway as target. 

B. Attach another ENI to the instance and connect via new ENI. 

C. A NAT instance should be created and all traffic should be forwarded to NAT instance. 
D. A NACL should be created that allows all outbound traffi 


Answer: A 


Explanation: All traffic should be routed via Internet Gateway. So, a route should be created with 0.0.0.0/0 as a source, and your Internet Gateway as your target. 
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html 


NEW QUESTION 182 

A user is currently building a website which will require a large number of instances in six months, when a demonstration of the new site will be given upon launch. 
Which of the below mentioned options allows the user to procure the resources beforehand so that they need not worry about infrastructure availability during the 
demonstration? 


A. Procure all the instances as reserved instances beforehand. 

B. Launch all the instances as part of the cluster group to ensure resource availability. 
C. Pre-warm all the instances one month prior to ensure resource availability. 

D. Ask AWS now to procure the dedicated instances in 6 month 


Answer: A 


Explanation: Amazon Web Services has massive hardware resources at its data centers, but they are finite. The best way for users to maximize their access to 
these resources is by reserving a portion of the computing capacity that they require. This can be done through reserved instances. With reserved instances, the 
user literally reserves the computing capacity in the Amazon Web Services cloud. 

Reference: http://media.amazonwebservices.com/AWS_Building_Fault_To|erant_Applications.pdf 


NEW QUESTION 187 
You receive a bill from AWS but are confused because you see you are incurring different costs for the exact same storage size in different regions on Amazon S3. 
You ask AWS why this is so. What response would you expect to receive from AWS? 


A. We charge less in different time zones. 
B. We charge less where our costs are less. 
C. This will balance out next bill. 

D. It must be a mistak 


Answer: B 


Explanation: Amazon S3 is storage for the internet. |ts a simple storage service that offers software developers a highly-scalable, reliable, and low-latency data 
storage infrastructure at very low costs. 

AWS charges less where their costs are less. 

For example, their costs are lower in the US Standard Region than in the US West (Northern California) Region. 

Reference: https://aws.amazon.com/s3/faqs/ 


NEW QUESTION 192 
You are setting up some EBS volumes for a customer who has requested a setup which includes a RAID (redundant array of inexpensive disks). AWS has some 
recommendations for RAID setups. Which RAID setup is not recommended for Amazon EBS? 


A. RAID 5 only 

B. RAID 5 and RAID 6 
C. RAID 1 only 

D. RAID 1 and RAID 6 
Answer: B 


Explanation: With Amazon EBS, you can use any of the standard RAID configurations that you can use with a traditional bare metal server, as long as that 
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particular RAID configuration is supported by the operating system for your instance. This is because all RAID is accomplished at the software level. For greater 
I/O performance than you can achieve with a single volume, RAID 0 can stripe multiple volumes together; for on-instance redundancy, RAID 1 can mirror two 
volumes together. 

RAID 5 and RAID 6 are not recommended for Amazon EBS because the parity write operations of these RAID modes consume some of the IOPS available to your 
volumes. 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/raid-config.html 


NEW QUESTION 197 

You receive the following request from a client to quickly deploy a static website for them, specifically on AWS. The requirements are low-cost, reliable, online 
storage, and a reliable and cost-effective way to route customers to the website, as well as a way to deliver content with low latency and high data transfer speeds 
so that visitors to his website don't experience unnecessary delays. What do you think would be the minimum AWS services that could fulfill the client's request? 


A. Amazon Route 53, Amazon CloudFront and Amazon VPC. 
B. Amazon S3, Amazon Route 53 and Amazon RDS 

C. Amazon S3, Amazon Route 53 and Amazon CloudFront 
D. Amazon S3 and Amazon Route 53. 


Answer: C 


Explanation: You can easily and inexpensively use AWS to host a website that uses client-side technologies (such as HTML, CSS, and JavaScript) and does not 
require server-side technologies (such as PHP and ASP.NET). This type of site is called a static website, and is used to display content that does not change 
frequently. Before you create and deploy a static website, you must plan your architecture to ensure that it meets your requirements. Amazon S3, Amazon Route 
53, and Amazon CloudFront would be required in this instance. 

Reference: http://docs.aws.amazon.com/gettingstarted/latest/swh/website-hosting-intro.html 


NEW QUESTION 198 
Doug has created a VPC with CIDR 10.201.0.0/16 in his AWS account. In this VPC he has created a public subnet with CIDR block 10.201.31.0/24. While 
launching a new EC2 from the console, he is not able to assign the private IP address 10.201.31.6 to this instance. Which is the most likely reason for this issue? 


A. Private IP address 10.201.31.6 is blocked via ACLs in Amazon infrastructure as a part of platform security. 
B. Private address IP 10.201.31.6 is currently assigned to another interface. 

C. Private IP address 10.201.31.6 is not part of the associated subnet's IP address range. 

D. Private IP address 10.201.31.6 is reserved by Amazon for IP networking purpose 


Answer: B 


Explanation: In Amazon VPC, you can assign any Private IP address to your instance as long as it is: Part of the associated subnet's IP address range 
Not reserved by Amazon for IP networking purposes Not currently assigned to another interface Reference: http://aws.amazon.com/vpc/faqs/ 


NEW QUESTION 200 
You need to create a JSON-formatted text file for AWS CloudFormation. This is your first template and the only thing you know is that the templates include 
several major sections but there is only one that is required for it to work. What is the only section required? 


A. Mappings 
B. Outputs 

C. Resources 
D. Conditions 


Answer: C 


Explanation: AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing 
those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like 
Amazon EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you. 

A template is a JSON-formatted text file that describes your AWS infrastructure. Templates include several major sections. 

The Resources section is the only section that is required. 

The first character in the template must be an open brace ({), and the last character must be a closed brace (}). The following template fragment shows the 
template structure and sections. 

Reference: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html 


NEW QUESTION 205 
Can a single EBS volume be attached to multiple EC2 instances at the same time? 


A. Yes 

B. No 

C. Only for high-performance EBS volumes. 

D. Only when the instances are located in the US region 


Answer: B 
Explanation: You can't attach an EBS volume to multiple EC2 instances. This is because it is equivalent to using a single hard drive with many computers at the 


same time. 
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html 
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NEW QUESTION 210 
How long does an AWS free usage tier EC2 last for? 


A. Forever 

B. 12 Months upon signup 
C. 1 Month upon signup 
D. 6 Months upon signup 


Answer: B 


Explanation: The AWS free usage tier will expire 12 months from the date you sign up. When your free usage expires or if your application use exceeds the free 
usage tiers, you simply pay the standard, pay-as-you-go service rates. 
Reference: http://aws.amazon.com/free/faqs/ 


NEW QUESTION 212 
Which of the following statements is true of tagging an Amazon EC2 resource? 


A. You don't need to specify the resource identifier while terminating a resource. 
B. You can terminate, stop, or delete a resource based solely on its tags. 

C. You can't terminate, stop, or delete a resource based solely on its tags. 

D. You don't need to specify the resource identifier while stopping a resourc 


Answer: C 


Explanation: You can assign tags only to resources that already exist. You can't terminate, stop, or delete a resource based solely on its tags; you must specify 
the resource identifier. 
Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/Using_Tags.html 


NEW QUESTION 215 

You have been setting up an Amazon Virtual Private Cloud (Amazon VPC) for your company, including setting up subnets. Security is a concern, and you are not 
sure which is the best security practice for securing subnets in your VPC. Which statement below is correct in describing the protection of AWS resources in each 
subnet? 


A. You can use multiple layers of security, including security groups and network access control lists (ACL). 

B. You can only use access control lists (ACL). 

C. You don't need any security in subnets. 

D. You can use multiple layers of security, including security groups, network access control lists (ACL) and CloudHSM. 


Answer: A 


Explanation: A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select. Use a public subnet for resources 
that must be connected to the Internet, and a private subnet for resources that won't be connected to the Internet. 

To protect the AWS resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (ACL). 
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_|ntroduction.html 


NEW QUESTION 220 
Your organization is in the business of architecting complex transactional databases. For a variety of reasons, this has been done on EBS. What is AWS's 
recommendation for customers who have architected databases using EBS for backups? 


A. Backups to Amazon S3 be performed through the database management system. 

B. Backups to AWS Storage Gateway be performed through the database management system. 
C. If you take regular snapshots no further backups are required. 

D. Backups to Amazon Glacier be performed through the database management syste 


Answer: A 


Explanation: Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no 
additional charge. 

However, Amazon EBS replication is stored within the same availability zone, not across multiple zones; therefore, it is highly recommended that you conduct 
regular snapshots to Amazon S3 for long-term data durability. 

For customers who have architected complex transactional databases using EBS, it is recommended that backups to Amazon S3 be performed through the 
database management system so that distributed transactions and logs can be checkpointed. 

AWS does not perform backups of data that are maintained on virtual disks attached to running instances on Amazon EC2. 

Reference: http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper. pdf 


NEW QUESTION 225 

You have three Amazon EC2 instances with Elastic IP addresses in the US East (Virginia) region, and you want to distribute requests across all three IPs evenly 
for users for whom US East (Virginia) is the appropriate region. 

How many EC2 instances would be sufficient to distribute requests in other regions? 
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Answer: D 


Explanation: If your application is running on Amazon EC2 instances in two or more Amazon EC2 regions, and if you have more than one Amazon EC2 instance 
in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to 
instances within the region based on weights that you specify. 

For example, suppose you have three Amazon EC2 instances with Elastic IP addresses in the US East (Virginia) region and you want to distribute requests across 
all three IPs evenly for users for whom US East (Virginia) is the appropriate region. Just one Amazon EC2 instance is sufficient in the other regions, although you 
can apply the same technique to many regions at once. 

Reference: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Tutorials.html 


NEW QUESTION 227 
A user has created a CloudFormation stack. The stack creates AWS services, such as EC2 instances, ELB, AutoScaling, and RDS. While creating the stack it 
created EC2, ELB and AutoScaling but failed to create RDS. What will CjoudFormation do in this scenario? 


A. Rollback all the changes and terminate all the created services 

B. It will wait for the user’s input about the error and correct the mistake after the input 

C. CloudFormation can never throw an error after launching a few services since it verifies all the steps before launching 
D. It will warn the user about the error and ask the user to manually create RDS 


Answer: A 


Explanation: AWS CloudFormation is an application management tool which provides application modeling, deployment, configuration, management and related 
actMties. The AWS CloudFormation stack is a collection of AWS resources which are created and managed as a single unit when AWS CloudFormation 
instantiates a template. If any of the services fails to launch, C|joudFormation will rollback all the changes and terminate or delete all the created services. 
Reference: http://aws.amazon.com/c|oudformation/faqs/ 


NEW QUESTION 231 
A major client who has been spending a lot of money on his internet service provider asks you to set up an AWS Direct Connection to try and save him some 
money. You know he needs high-speed connectMty. Which connection port speeds are available on AWS Direct Connect? 


A. 500Mbps and 1Gbps 
B. 1Gbps and 10Gbps 
C. 100Mbps and 1Gbps 
D. 1Gbps 


Answer: B 


Explanation: AWS Direct Connect is a network service that provides an alternative to using the internet to utilize AWS cloud services. 

Using AWS Direct Connect, data that would have previously been transported over the Internet can now be delivered through a private network connection 
between AWS and your datacenter or corporate network. 

1Gbps and 10Gbps ports are available. Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be ordered from any APN partners 
supporting AWS Direct Connect. 

Reference: https://aws.amazon.com/directconnect/faqs/ 


NEW QUESTION 233 
In Amazon EC2, what is the limit of Reserved Instances per Availability Zone each month? 
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Answer: B 


Explanation: There are 20 Reserved Instances per Availability Zone in each month. 
Reference: http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html 


NEW QUESTION 235 
You have just finshed setting up an advertisement server in which one of the obvious choices for a service was Amazon Elastic Map Reduce( EMR) and are now 
troubleshooting some weird cluster states that you are seeing. Which of the below is not an Amazon EMR cluster state? 


A. STARTING 
B. STOPPED 
C. RUNNING 
D. WAITING 


Answer: B 


Explanation: Amazon Elastic Map Reduce (EMR) is a web service that enables businesses, researchers, data analysts, and developers to easily and cost- 
effectively process vast amounts of data. 

Amazon EMR historically referred to an Amazon EMR cluster (and all processing steps assigned to it) as a "c|uster". Every cluster has a unique identifier that 
starts with "j-". 

The different cluster states of an Amazon EMR cluster are listed below. STARTING — The cluster provisions, starts, and configures EC2 instances. 
BOOTSTRAPPING — Bootstrap actions are being executed on the cluster. RUNNING — A step for the cluster is currently being run. 
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WAITING — The cluster is currently active, but has no steps to run. TERMINATING - The cluster is in the process of shutting down. TERMINATED - The cluster 
was shut down without error. TERMINATED _W|TH_ERRORS - The cluster was shut down with errors. 
Reference: https://aws.amazon.com/elasticmapreduce/faqs/ 


NEW QUESTION 238 
Is it possible to get a history of all EC2 API calls made on your account for security analysis and operational troubleshooting purposes? 


A. Yes, by default, the history of your API calls is logged. 

B. Yes, you should turn on the CloudTrail in the AWS console. 
C. No, you can only get a history of VPC API calls. 

D. No, you cannot store history of EC2 API calls on Amazon. 


Answer: B 


Explanation: To get a history of all EC2 API calls (including VPC and EBS) made on your account, you simply turn on CljoudTrail in the AWS Management 
Console. 
Reference: https://aws.amazon.com/ec2/faqs/ 


NEW QUESTION 242 
You havejust discovered that you can upload your objects to Amazon S3 using Multipart Upload API. You start to test it out but are unsure of the benefits that it 
would provide. Which of the following is not a benefit of using multipart uploads? 


A. You can begin an upload before you know the final object size. 
B. Quick recovery from any network issues. 

C. Pause and resume object uploads. 

D. It's more secure than normal uploa 


Answer: D 


Explanation: Multipart upload in Amazon S3 allows you to upload a single object as a set of parts. Each part is a contiguous portion ofthe object's data. You can 
upload these object parts independently and in any order. 

If transmission of any part fails, you can re-transmit that part without affecting other parts. After all parts of your object are uploaded, Amazon S3 assembles these 
parts and creates the object. In general, when 

your object size reaches 100 MB, you should consider using multipart uploads instead of uploading the object in a single operation. 

Using multipart upload provides the following advantages: 

Improved throughput—You can upload parts in parallel to improve throughput. 

Quick recovery from any network issues—Smaller part size minimizes the impact of restarting a failed upload due to a network error. 

Pause and resume object uploads—You can upload object parts over time. Once you initiate a multipart upload there is no expiry; you must explicitly complete or 
abort the multipart upload. 

Begin an upload before you know the final object size—You can upload an object as you are creating it. Reference: 
http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html 


NEW QUESTION 244 
What is the data model of DynamoDB? 


A. Since DynamoDB is schema-less, there is no data model. 

B. "Items", with Keys and one or more Attribute; and "Attribute", with Name and Value. 

C. "Table", a collection of Items; "Items", with Keys and one or more Attribute; and "Attribute", with Name and Value. 
D. "Database", which is a set of "Tables", which is a set of "Items", which is a set of "Attributes". 


Answer: C 


Explanation: The data model of DynamoDB is: "Table", a collection of Items; 
"Items", with Keys and one or more Attribute; "Attribute", with Name and Value. 
Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DataModel.html 


NEW QUESTION 246 

Mike is appointed as Cloud Consultant in Netcrak Inc. Netcrak has the following VPCs set-up in the US East Region: 

A VPC with CIDR block 10.10.0.0/16, a subnet in that VPC with CIDR block 10.10.1.0/24 A VPC with CIDR block 10.40.0.0/16, a subnet in that VPC with CIDR 
block 10.40.1.0/24 

Netcrak Inc is trying to establish network connection between two subnets, a subnet with CIDR block 10.10.1.0/24 and another subnet with CIDR block 
10.40.1.0/24. Which one of the following solutions should Mke recommend to Netcrak Inc? 


A. Create 2 Virtual Private Gateways and configure one with each VPC. 

B. Create one EC2 instance in each subnet, assign Elastic IPs to both instances, and configure a set up Site-to-Site VPN connection between both EC2 instances. 
C. Create a VPC Peering connection between both VPCs. 

D. Create 2 Internet Gateways, and attach one to each VP 


Answer: C 


Explanation: A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. 
EC2 instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your 
own VPGs, or with a VPC in another AWS account within a single region. 

AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate 
piece of physical hardware. 
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Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.htm| 


NEW QUESTION 248 
You're trying to delete an SSL certificate from the IAM certificate store, and you're getting the message "Certificate: <certificate-id> is being used by CloudFront." 
Which of the following statements is probably the reason why you are getting this error? 


A. Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CloudFront 
certificate. 

B. You can't delete SSL certificates . You need to request it from AWS. 

C. Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM 

D. Before you can delete an SSL certificate you need to set up https on your serve 


Answer: A 


Explanation: CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, and image files, to 
end users. 

Every CloudFront web distribution must be associated either with the default CloudFront certificate or with a custom SSL certificate. Before you can delete an SSL 
certificate, you need to either rotate SSL certificates (replace the current custom SSL certificate with another custom SSL certificate) or revert from using a custom 
SSL certificate to using the default CloudFront certificate. 

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/Deve|operGuide/Troubleshooting.htm| 


NEW QUESTION 250 
You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: Security 
groups and network access control lists (ACLs). You start to look into security groups first. Which statement below is incorrect in relation to security groups? 


A. Are stateful: Return traffic is automatically allowed, regardless of any rules. 
B. Evaluate all rules before deciding whether to allow traffic. 

C. Support allow rules and deny rules. 

D. Operate at the instance level (first layer of defense). 


Answer: C 


Explanation: Amazon VPC provides two features that you can use to increase security for your VPC: 

Security groups—Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level and supports allow 
rules only. 

Network access control lists (ACLs)—Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level and supports allow 
rules and deny rules. 

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html 


NEW QUESTION 251 
A user wants to increase the durability and availability of the EBS volume. Which of the below mentioned actions should he perform? 


A. Take regular snapshots. 

B. Create an AMI. 

C. Create EBS with higher capacity. 
D. Access EBS regularl 


Answer: A 


Explanation: In Amazon Web Services, Amazon EBS volumes that operate with 20 GB or less of modified data since their most recent snapshot can expect an 
annual failure rate (AFR) between 0.1% and 0.5%. For this reason, to maximize both durability and availability of their Amazon EBS data, the user should 
frequently create snapshots of the Amazon EBS volumes. 

Reference: http://media.amazonwebservices.com/AWS_Storage_Options.pdf 


NEW QUESTION 252 
You have created a Route 53 latency record set from your domain to a machine in Northern Virginia and a similar record to a machine in Sydney. 
When a user located in U S visits your domain he will be routed to: 


A. Northern Virginia 

B. Sydney 

C. Both, Northern Virginia and Sydney 

D. Depends on the Weighted Resource Record Sets 


Answer: A 


Explanation: If your application is running on Amazon EC2 instances in two or more Amazon EC2 regions, and if you have more than one Amazon EC2 instance 
in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to 
instances within the region based on weights that you specify. 

For example, suppose you have three Amazon EC2 instances with Elastic IP addresses in the US East (Virginia) region and you want to distribute requests across 
all three IPs evenly for users for whom US East (Virginia) is the appropriate region. Just one Amazon EC2 instance is sufficient in the other regions, although you 
can apply the same technique to many regions at once. 

Reference: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Tutorials.html 
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NEW QUESTION 255 

Having just set up your first Amazon Virtual Private Cloud (Amazon VPC) network, which defined a default network interface, you decide that you need to create 
and attach an additional network interface, known as an elastic network interface (ENI) to one of your instances. Which of the following statements is true 
regarding attaching network interfaces to your instances in your VPC? 


A. You can attach 5 EN|s per instance type. 

B. You can attach as many ENls as you want. 

C. The number of ENIs you can attach varies by instance type. 
D. You can attach 100 ENls total regardless of instance typ 


Answer: C 


Explanation: Each instance in your VPC has a default network interface that is assigned a private IP address from the IP address range of your VPC. You can 
create and attach an additional network interface, known as an elastic network interface (ENI), to any instance in your VPC. The number of EN|s you can attach 
varies by instance type. 


NEW QUESTION 256 
A for a VPC is a collection of subnets (typically private) that you may want to designate for your backend RDS DB Instances. 


A. DB Subnet Set 

B. RDS Subnet Group 
C. DB Subnet Group 

D. DB Subnet Collection 


Answer: C 


Explanation: DB Subnet Groups are a set of subnets (one per Availability Zone of a particular region) designed for your DB instances that reside ina VPC. They 
make easy to manage Multi-AZ deployments as well as the conversion from a Single-AZ to a Mut|i-AZ one. 
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSVPC.html 


NEW QUESTION 258 
An organization has a statutory requirement to protect the data at rest for the S3 objects. Which of the below mentioned options need not be enabled by the 
organization to achieve data security? 


A. MFA delete for S3 objects 
B. Client side encryption 

C. Bucket versioning 

D. Data replication 


Answer: D 


Explanation: AWS S3 provides multiple options to achieve the protection of data at REST. The options include Permission (Policy), Encryption (Client and Server 
Side), Bucket Versioning and MFA based delete. The user can enable any of these options to achieve data protection. Data replication is an internal facility by 
AWS where S3 replicates each object across all the Availability Zones and the organization need not 

enable it in this case. 

Reference: http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf 


NEW QUESTION 263 
In Amazon CloudFront, if you use Amazon EC2 instances and other custom origins with CloudFront, it is recommended to . 


A. not use Elastic Load Balancing 

B. restrict Internet communication to private instances while allowing outgoing traffic 
C. enable access key rotation for CloudWatch metrics 

D. specify the URL of the load balancer for the domain name of your origin server 


Answer: D 


Explanation: In Amazon CloudFront, you should use an Elastic Load Balancing load balancer to handle traffic across multiple Amazon EC2 instances and to 
isolate your application from changes to Amazon EC2 instances. When you create your C|oudFront distribution, specify the URL of the load balancer for the 
domain name of your origin server. 

Reference: http://docs.aws.amazon.com/AmazonC|oudFront/latest/DeveloperGuide/CustomOriginBestPractices.html 


NEW QUESTION 265 
What is the time period with which metric data is sent to CloudWatch when detailed monitoring is enabled on an Amazon EC2 instance? 


A. 15 minutes 
B. 5 minutes 
C. 1 minute 
D. 45 seconds 
Answer: C 


Explanation: By default, Amazon EC2 metric data is automatically sent to CloudWatch in 5-minute periods. However, you can, enable detailed monitoring on an 
Amazon EC2 instance, which sends data to CloudWatch in 
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1-minute periods 
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.html 


NEW QUESTION 266 
Which of the following features are provided by Amazon EC2? 


A. Exadata Database Machine, Optimized Storage Management, Flashback Technology, and Data Warehousing 

B. Instances, Amazon Machine Images (AMIs), Key Pairs, Amazon EBS Volumes, Firewall, Elastic IP address, Tags, and Virtual Private Clouds (VPCs) 
C. Real Application Clusters (RAC), Elasticache Machine Images (EMIs), Data Warehousing, Flashback Technology, Dynamic IP address 

D. Exadata Database Machine, Real Application Clusters (RAC), Data Guard, Table and Index Partitioning, and Data Pump Compression 


Answer: B 


Explanation: Amazon EC2 provides the following features: 

- Virtual computing environments, Known as instances; 

- Pre-configured templates for your instances, known as Amazon Nlachine Images (AMIs), that package the bits you need for your server (including the operating 
system and additional software) 

- Various configurations of CPU, memory, storage, and networking capacity for your instances, known as instance types 

- Secure login information for your instances using key pairs (AWS stores the public key, and you store the private key in a secure place) 

- Storage volumes for temporary data that's deleted when you stop or terminate your instance, known as instance store volumes 

- Persistent storage volumes for your data using Amazon Elastic Block Store (Amazon EBS), known as Amazon EBS volumes 

- Multiple physical locations for your resources, such as instances and Amazon EBS volumes, known as regions and Availability Zones 

- A firewall that enables you to specify the protocols, ports, and source IP ranges that can reach your instances using security groups 

- Static IP addresses for dynamic cloud computing, known as Elastic IP addresses 

- Metadata, known as tags, that you can create and assign to your Amazon EC2 resources 

- Virtual networks you can create that are logically isolated from the rest of the AWS cloud, and that you can optionally connect to your own network, known as 
virtual private clouds (VPCs). 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts. html 


NEW QUESTION 269 
In Amazon Elastic Compute Cloud, which ofthe following is used for communication between instances in the same network (EC2-Classic or a VPC)? 


A. Private IP addresses 
B. Elastic IP addresses 
C. Static IP addresses 

D. Public IP addresses 


Answer: A 


Explanation: A private IP address is an IP address that's not reachable over the Internet. You can use private IP addresses for communication between instances 
in the same network (EC2-Classic or a VPC). Reference: 
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-instance-addressing.html 


NEW QUESTION 273 
Are penetration tests allowed as long as they are limited to the customer's instances? 


A. Yes, they are allowed but only for selected regions. 
B. No, they are never allowed. 

C. Yes, they are allowed without any permission. 

D. Yes, they are allowed but only with approval. 


Answer: D 


Explanation: Penetration tests are allowed after obtaining permission from AWS to perform them. Reference: http://aws.amazon.com/security/penetration-testing/ 


NEW QUESTION 277 
A user has created an ELB with the availability zone US-East-1A. The user wants to add more zones to ELB to achieve High Availability. How can the user add 
more zones to the existing ELB? 


A. The user should stop the ELB and add zones and instances as required 
B. The only option is to launch instances in different zones and add to ELB 
C. It is not possible to add more zones to the existing ELB 

D. The user can add zones on the fly from the AWS console 


Answer: D 

Explanation: The user has created an Elastic Load Balancer with the availability zone and wants to add more zones to the existing ELB. The user can do so in 
two ways: 

From the console or CLI, add new zones to ELB; 


Launch instances in a separate AZ and add instances to the existing ELB. Reference: 
http ://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-disable-az.html 


NEW QUESTION 281 
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What happens to data on an ephemeral volume of an EBS-backed EC2 instance if it is terminated or if it fails? 


A. Data is automatically copied to another volume. 
B. The volume snapshot is saved in S3. 

C. Data persists. 

D. Data is delete 


Answer: D 


Explanation: Any data on the instance store volumes persists as long as the instance is running, but this data is deleted when the instance is terminated or if it 
fails (such as if an underlying drive has issues). After an instance store-backed instance fails or terminates, it cannot be restored. 
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.htm| 


NEW QUESTION 282 
A user is sending bulk emails using AWS SES. The emails are not reaching some of the targeted audience because they are not authorized by the ISPs. How can 
the user ensure that the emails are all delivered? 


A. Send an email using DKINI with SES. 

B. Send an email using SMTP with SES. 

C. Open a ticket with AWS support to get it authorized with the ISP. 
D. Authorize the ISP by sending emails from the development accoun 


Answer: A 


Explanation: Domain Keys Identified Mail (DKIM) is a standard that allows senders to sign their email messages and ISPs, and use those signatures to verify that 
those messages are legitimate and have not been modified by a third party in transit. 
Reference: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/dkim.html 


NEW QUESTION 284 
In AWS CloudHSM, in addition to the AWS recommendation that you use two or more HSM appliances in a high-availability configuration to prevent the loss of 
keys and data, you can also perform a remote backup/restore of a Luna SA partition if you have purchased a: 


A. Luna Restore HSNI. 
B. Luna Backup HSM. 
C. Luna HSNI. 

D. Luna SA HSM. 


Answer: B 


Explanation: In AWS CloudHSM, you can perform a remote backup/restore of a Luna SA partition if you have purchased a Luna Backup HSM. 
Reference: http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloud-hsm-backup-restore.html 


NEW QUESTION 288 
A user has launched a large EBS backed EC2 instance in the US-East-1a region. The user wants to achieve Disaster Recovery (DR) for that instance by creating 
another small instance in Europe. How can the user achieve DR? 


A. Copy the instance from the US East region to the EU region 

B. Use the "Launch more like this" option to copy the instance from one region to another 
C. Copy the running instance using the "|nstance Copy" command to the EU region 

D. Create an AMI of the instance and copy the AMI to the EU regio 

E. Then launch the instance from the EU AMI 


Answer: D 


Explanation: To launch an EC2 instance it is required to have an AMI in that region. If the AMI is not available in that region, then create a new AMI or use the 
copy command to copy the AMI from one region to the other region. 
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html 


NEW QUESTION 291 

Content and IV|edia Server is the latest requirement that you need to meet for a client. 

The client has been very specific about his requirements such as low latency, high availability, durability, and access control. Potentially there will be millions of 
views on this server and because of "spiky" usage patterns, operations teams will need to provision static hardware, network, and management resources to 
support the maximum expected need. The Customer base will be initially low but is expected to grow and become more geographically distributed. 

Which of the following would be a good solution for content distribution? 


A. Amazon S3 as both the origin server and for caching 

B. AWS Storage Gateway as the origin server and Amazon EC2 for caching 
C. AWS CloudFront as both the origin server and for caching 

D. Amazon S3 as the origin server and Amazon CloudFront for caching 
Answer: D 


Explanation: As your customer base grows and becomes more geographically distributed, using a high- performance edge cache like Amazon CloudFront can 
provide substantial improvements in latency, fault tolerance, and cost. 
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By using Amazon S3 as the origin server for the Amazon CloudFront distribution, you gain the advantages of fast in-network data transfer rates, simple 
publishing/caching workflow, and a unified security framework. 

Amazon S3 and Amazon CloudFront can be configured by a web service, the AWS Management Console, or a host of third-party management tools. 
Reference:http://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_media_02.pdf 


NEW QUESTION 296 

You are setting up your first Amazon Virtual Private Cloud (Amazon VPC) network so you decide you should probably use the AWS Management Console and the 
VPC Wizard. Which of the following is not an option for network architectures after launching the "Start VPC Wizard" in Amazon VPC page on the AWS 
Management Console? 


A. VPC with a Single Public Subnet Only 

B. VPC with a Public Subnet Only and Hardware VPN Access 

C. VPC with Public and Private Subnets and Hardware VPN Access 
D. VPC with a Private Subnet Only and Hardware VPN Access 


Answer: B 


Explanation: Amazon VPC enables you to build a virtual network in the AWS cloud - no VPNs, hardware, or physical datacenters required. 

Your AWS resources are automatically provisioned in a ready-to-use default VPC. You can choose to create additional VPCs by going to Amazon VPC page on 
the AWS Management Console and click on the "Start VPC Wizard" button. 

You'll be presented with four basic options for network architectures. After selecting an option, you can modify the size and IP address range of the VPC and its 
subnets. If you select an option with Hardware VPN Access, you will need to specify the IP address of the VPN hardware on your network. You can modify the 
VPC to add more subnets or add or remove gateways at any time after the VPC has been created. 

The four options are: 

VPC with a Single Public Subnet Only VPC with Public and Private Subnets 

VPC with Public and Private Subnets and Hardware VPN Access VPC with a Private Subnet Only and Hardware VPN Access Reference: 
https://aws.amazon.com/vpc/faqs/ 


NEW QUESTION 300 
Which one of the below doesn't affect Amazon CloudFront billing? 


A. Distribution Type 

B. Data Transfer Out 

C. Dedicated IP SSL Certificates 
D. Requests 


Answer: A 


Explanation: Amazon CloudFront is a web service for content delivery. C|joudFront delivers your content using a global network of edge locations and works 
seamlessly with Amazon S3 which durably stores the original and definitive versions of your files. 

Amazon CloudFront billing is maily affected by Data Transfer Out 

Edge Location Traffic Distribution Requests 

Dedicated IP SSL Certificates 

Reference: http://calcu|ator.s3.amazonaws.com/index.html 


NEW QUESTION 304 
A user is trying to launch a similar EC2 instance from an existing instance with the option "Launch More like this". The AMI ofthe selected instance is deleted. What 
will happen in this case? 


A. AWS does not need an AMI for the "Launch more like this" option 
B. AWS will launch the instance but will not create a new AMI 

C. AWS will create a new AMI and launch the instance 

D. AWS will throw an error saying that the AMI is deregistered 


Answer: D 


Explanation: If the user has deregistered the AMI of an EC2 instance and is trying to launch a similar instance with the option "Launch more like this", AWS will 
throw an error saying that the AMI is deregistered or not available. 
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html 


NEW QUESTION 308 

Your company has multiple IT departments, each with their own VPC. Some VPCs are located within the same AWS account, and others in a different AWS 
account. You want to peer together all VPCs to enable the IT departments to have full access to each others' resources. There are certain limitations placed on 
VPC peering. Which of the following statements is incorrect in relation to VPC peering? 


A. Private DNS values cannot be resolved between instances in peered VPCs. 

B. You can have up to 3 VPC peering connections between the same two VPCs at the same time. 

C. You cannot create a VPC peering connection between VPCs in different regions. 

D. You have a limit on the number active and pending VPC peering connections that you can have per VPC. 


Answer: B 
Explanation: To create a VPC peering connection with another VPC, you need to be aware of the following limitations and rules: 


You cannot create a VPC peering connection between VPCs that have matching or overlapping CIDR blocks. 
You cannot create a VPC peering connection between VPCs in different regions. 
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You have a limit on the number active and pending VPC peering connections that you can have per VPC. VPC peering does not support transitive peering 
relationships; in a VPC peering connection, your VPC will not have access to any other VPCs that the peer VPC may be peered with. This includes VPC peering 
connections that are established entirely within your own AWS account. 

You cannot have more than one VPC peering connection between the same two VPCs at the same time. The Maximum Transmission Unit (MTU) across a VPC 
peering connection is 1500 bytes. 

A placement group can span peered VPCs; however, you will not get full-bisection bandwidth between instances in peered VPCs. 

Unicast reverse path forwarding in VPC peering connections is not supported. 

You cannot reference a security group from the peer VPC as a source or destination for ingress or egress rules in your security group. Instead, reference CIDR 
blocks of the peer VPC as the source or destination of your security group's ingress or egress rules. 

Private DNS values cannot be resolved between instances in peered VPCs. Reference: 

http://docs.aws.amazon.com/AmazonVPC/latest/Peering Guide/vpc-peering-overview.html#vpc-peering-li mitations 


NEW QUESTION 310 

After a major security breach your manager has requested a report of all users and their credentials in AWS. You discover that in IAM you can generate and 
download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, MFA devices, 
and signing certificates. Which following statement is incorrect in regards to the use of credential reports? 


A. Credential reports are downloaded XML files. 

B. You can get a credential report using the AWS Management Console, the AWS CLI, or the IAM API. 

C. You can use the report to audit the effects of credential lifecycle requirements, such as password rotation. 
D. You can generate a credential report as often as once every four hour 


Answer: A 


Explanation: To access your AWS account resources, users must have credentials. 

You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access 
keys, MFA devices, and signing certificates. You can get a credential report using the AWS Management Console, the AWS CLI, or the IAM API. 

You can use credential reports to assist in your auditing and compliance efforts. You can use the report to audit the effects of credential lifecycle requirements, 
such as password rotation. You can provide the report to an external auditor, or grant permissions to an auditor so that he or she can download the report directly. 
You can generate a credential report as often as once every four hours. When you request a report, IAM first checks whether a report for the account has been 
generated within the past four hours. If so, the most recent report is downloaded. If the most recent report for the account is more than four hours old, or if there 
are no previous reports for the account, IAM generates and downloads a new report. 

Credential reports are downloaded as comma-separated values (CSV) files. 

You can open CSV files with common spreadsheet software to perform analysis, or you can build an application that consumes the CSV files programmatically and 
performs custom analysis. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/credential-reports.html 


NEW QUESTION 315 
In the most recent company meeting, your CEO focused on the fact that everyone in the organization needs to make sure that all of the infrastructure that is built is 
truly scalable. Which of the following statements is incorrect in reference to scalable architecture? 


A. A scalable service is capable of handling heterogeneity. 

B. A scalable service is resilient. 

C. A scalable architecture won't be cost effective as it grows. 

D. Increasing resources results in a proportional increase in performanc 


Answer: C 


Explanation: In AWS it is critical to build a scalable architecture in order to take advantage of a scalable infrastructure. The cloud is designed to provide 
conceptually infinite scalability. However, you cannot leverage all that scalability in infrastructure if your architecture is not scalable. Both have to work together. 
You will have to identify the monolithic components and bottlenecks in your architecture, identify the areas where you cannot leverage the on-demand provisioning 
capabilities in your architecture, and work to refactor your application, in order to leverage the scalable infrastructure and take advantage of the cloud. 
Characteristics of a truly scalable application: 

Increasing resources results in a proportional increase in performance A scalable service is capable of handling heterogeneity 

A scalable service is operationally efficient A scalable service is resilient 

A scalable service should become more cost effective when it grows (Cost per unit reduces as the number of units increases) 

Reference: http://media.amazonwebservices.com/AWS_Cloud_Best_Practices.padf 


NEW QUESTION 319 

A user has defined an AutoScaling termination policy to first delete the instance with the nearest billing hour. AutoScaling has launched 3 instances in the US- 
East-1A region and 2 instances in the US-East-1 B region. One of the instances in the US-East-1B region is running nearest to the billing hour. Which instance will 
AutoScaling terminate first while executing the termination action? 


A. Random Instance from US-East-1A 
B. Instance with the nearest billing hour in US-East-1 B 
C. Instance with the nearest billing hour in US-East-1A 
D. Random instance from US-East-1B 


Answer: C 
Explanation: Even though the user has configured the termination policy, before AutoScaling selects an instance to terminate, it first identifies the Availability 
Zone that has more instances than the other Availability Zones used by the group. Within the selected Availability Zone, it identifies the instance that matches the 


specified termination policy. 
Reference: http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/us-termination-policy.html 


NEW QUESTION 321 
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A user is planning a highly available application deployment with EC2. Which of the below mentioned options will not help to achieve HA? 


A. Elastic IP address 
B. PIOPS 

C. AMI 

D. Availability Zones 


Answer: B 


Explanation: In Amazon Web Service, the user can achieve HA by deploying instances in multiple zones. The elastic IP helps the user achieve HA when one of 
the instances is down but still keeps the same URL. The AM helps launching the new instance. The PIOPS is for the performance of EBS and does not help for 
HA. Reference: http://media.amazonwebservices.com/AWS_Web_Hosting_Best_Practices.pdf 


NEW QUESTION 322 
You are playing around with setting up stacks using JSON templates in C|joudFormation to try and understand them a little better. You have set up about 5 or 6 but 
now start to wonder if you are being charged for these stacks. What is AWS's billing policy regarding stack resources? 


A. You are not charged for the stack resources if they are not taking any traffic. 

B. You are charged for the stack resources for the time they were operating (even if you deleted the stack right away) 

C. You are charged for the stack resources for the time they were operating (but not if you deleted the stack within 60 minutes) 
D. You are charged for the stack resources for the time they were operating (but not if you deleted the stack within 30 minutes) 


Answer: B 


Explanation: A stack is a collection of AWS resources that you can manage as a single unit. In other words, you can create, update, or delete a collection of 
resources by creating, updating, or deleting stacks. All the resources in a stack are defined by the stack's AWS CloudFormation template. A stack, for instance, 
can include all the resources required to run a web application, such as a web server, a database, and networking rules. If you no longer require that web 
application, you can simply delete the stack, and all of its related resources are deleted. 

You are charged for the stack resources for the time they were operating (even if you deleted the stack right away). 

Reference: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html 


NEW QUESTION 326 

You have been given a scope to set up an AWS Media Sharing Framework for a new start up photo 

sharing company similar to flickr. The first thing that comes to mind about this is that it will obviously need a huge amount of persistent data storage for this 
framework. Which of the following storage options would be appropriate for persistent storage? 


A. Amazon Glacier or Amazon S3 

B. Amazon Glacier or AWS Import/Export 

C. AWS Import/Export or Amazon CloudFront 
D. Amazon EBS volumes or Amazon $3 


Answer: D 


Explanation: Persistent storage-lf you need persistent virtual disk storage similar to a physical disk drive for files or other data that must persist longer than the 
lifetime of a single Amazon EC2 instance, Amazon EBS volumes or Amazon S3 are more appropriate. 
Reference: http://media.amazonwebservices.com/AWS_Storage_Options.pdf 


NEW QUESTION 328 
In Route 53, what does a Hosted Zone refer to? 


A. A hosted zone is a collection of geographical load balancing rules for Route 53. 

B. A hosted zone is a collection of resource record sets hosted by Route 53. 

C. A hosted zone is a selection of specific resource record sets hosted by CloudFront for distribution to Route 53. 
D. A hosted zone is the Edge Location that hosts the Route 53 records for a use 


Answer: B 


Explanation: A Hosted Zone refers to a selection of resource record sets hosted by Route 53. 
Reference: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/AboutHostedZones.html 


NEW QUESTION 332 
Which DNS name can only be resolved within Amazon EC2? 


A. Public DNS name 
B. Internal DNS name 
C. External DNS name 
D. Global DNS name 
Answer: B 


Explanation: Only Internal DNS name can be resolved within Amazon EC2. Reference: 
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-instance-addressing.html 
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NEW QUESTION 336 
You need to create a management network using network interfaces for a virtual private cloud (VPC) network. Which of the following statements is incorrect 
pertaining to Best Practices for Configuring Network Interfaces. 


A. You can detach secondary (ethN) network interfaces when the instance is running or stoppe 

B. However, you can't detach the primary (eth0) interface. 

C. Launching an instance with multiple network interfaces automatically configures interfaces, private IP addresses, and route tables on the operating system of 
the instance. 

D. You can attach a network interface in one subnet to an instance in another subnet in the same VPC, however, both the network interface and the instance must 
reside in the same Availability Zone. 

E. Attaching another network interface to an instance is a valid method to increase or double the network bandwidth to or from the dual-homed instance 


Answer: D 


Explanation: Best Practices for Configuring Network Interfaces 

You can attach a network interface to an instance when it's running (hot attach), when it's stopped (warm attach), or when the instance is being launched (cold 
attach). 

You can detach secondary (ethN) network interfaces when the instance is running or stopped. However, you can't detach the primary (ethO) interface. 

You can attach a network interface in one subnet to an instance in another subnet in the same VPC, however, both the network interface and the instance must 
reside in the same Availability Zone. 

When launching an instance from the CLI or API, you can specify the network interfaces to attach to the instance for both the primary (ethO) and additional network 
interfaces. 

Launching an instance with multiple network interfaces automatically configures interfaces, private IP addresses, and route tables on the operating system of the 
instance. 

A warm or hot attach of an additional network interface may require you to manually bring up the second interface, configure the private IP address, and modify the 
route table accordingly. (Instances running Amazon Linux automatically recognize the warm or hot attach and configure themselves.) 

Attaching another network interface to an instance is not a method to increase or double the network bandwidth to or from the dual-homed instance. 

Reference: 

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#use-network-and-security-applia nces-in-your-vpc 


NEW QUESTION 339 
Can | change the EC2 security groups after an instance is launched in EC2-Classic? 


A. Yes, you can change security groups after you launch an instance in EC2-Classic. 
B. No, you cannot change security groups after you launch an instance in EC2-Classic. 
C. Yes, you can only when you remove rules from a security group. 

D. Yes, you can only when you add rules to a security grou 


Answer: B 


Explanation: After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security 
group, and those changes are automatically applied to all instances that are associated with the security group. 
Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html 


NEW QUESTION 341 
You can seamlessly join an EC2 instance to your directory domain. What connectMty do you need to be able to connect remotely to this instance? 


A. You must have IP connectMty to the instance from the network you are connecting from. 
B. You must have the correct encryption keys to connect to the instance remotely. 

C. You must have enough bandwidth to connect to the instance. 

D. You must use MFA authentication to be able to connect to the instance remotel 


Answer: A 


Explanation: You can seamlessly join an EC2 instance to your directory domain when the instance is launched using the Amazon EC2 Simple Systems Manager. 
If you need to manuallyjoin an EC2 instance to your domain, you must launch the instance in the proper region and security group or subnet, then join the instance 
to the domain. To be able to connect remotely to these instances, you must have IP connectMty to the instances from the network you are connecting from. In 
most cases, this requires that an Internet gateway be attached to your VPC and that the instance has a public IP address. 

Reference: http://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_a_directory.html 


NEW QUESTION 343 

You are in the process of moving your friend's WordPress site onto AWS to try and save him some money, and you have told him that he should probably also 
move his domain name. He asks why he can't leave 

his domain name where it is and just have his infrastructure on AWS. What would be an incorrect response to his question ? 


A. Route 53 offers low query latency for your end users. 

B. Route 53 is designed to automatically answer queries from the optimal location depending on network conditions. 

C. The globally distributed nature of AWS's DNS servers helps ensure a consistent ability to route your end users to your application. 
D. Route 53 supports Domain Name System Security Extensions (DNSSEC). 


Answer: D 


Explanation: Amazon Route 53 provides highly available and scalable Domain Name System (DNS), domain name registration, and health-checking web 
services. 

Route 53 is built using AWS’s highly available and reliable infrastructure. The globally distributed nature of our DNS servers helps ensure a consistent ability to 
route your end users to your application by circumventing any internet or network related issues. Route 53 is designed to provide the level of dependability 
required by important applications. Using a global anycast network of DNS servers around the world, Route 53 is designed to automatically answer queries from 
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the optimal location depending on network conditions. As a result, the service offers low query latency for your end users. 
Amazon Route 53 does not support Domain Name System Security Extensions (DNSSEC) at this time. Reference: https://aws.amazon.com/route53/faqs/ 


NEW QUESTION 345 
In Amazon EC2, you are billed instance-hours when . 


A. your EC2 instance is in a running state 

B. the instance exits from Amazon S3 console 
C. your instance still exits the EC2 console 

D. EC2 instances stop 


Answer: A 


Explanation: You are billed instance-hours as long as your EC2 instance is in a running state. Reference: http://aws.amazon.com/ec2/faqs/ 


NEW QUESTION 347 
A user has created an ELB with Auto Scaling. Which of the below mentioned offerings from ELB helps the 
user to stop sending new requests traffic from the load balancer to the EC2 instance when the instance is being deregistered while continuing in-flight requests? 


A. ELB sticky session 

B. ELB deregistration check 
C. ELB auto registration Off 
D. ELB connection draining 


Answer: D 


Explanation: The Elastic Load Balancer connection draining feature causes the load balancer to stop sending new requests to the back-end instances when the 
instances are deregistering or become unhealthy, while ensuring that in-flight requests continue to be served. 

Reference: 

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/config-conn-drain.html 


NEW QUESTION 351 
A user is running a webserver on EC2. The user wants to receive the SMS when the EC2 instance utilization is above the threshold limit. Which AWS services 
should the user configure in this case? 


A. AWS CloudWatch + AWS SQS. 
B. AWS CloudWatch + AWS SNS. 
C. AWS CloudWatch + AWS SES. 
D. AWS EC2 + AWS Cloudwatc 


Answer: B 


Explanation: Amazon SNS makes it simple and cost-effective to push to mobile devices, such as iPhone, iPad, Android, Kindle Fire, and internet connected smart 
devices, as well as pushing to other distributed services. In this case, the user can configure that Cloudwatch sends an alarm on when the threshold is crossed to 
SNS which will trigger an SMS. 

Reference: http://aws.amazon.com/sns/ 


NEW QUESTION 352 

A user is making a scalable web application with compartmentalization. The user wants the log module to be able to be accessed by all the application 
functionalities in an asynchronous way. Each module of the application sends data to the log module, and based on the resource availability it will process the logs. 
Which AWS service helps this functionality? 


A. AWS Simple Queue Service. 

B. AWS Simple Notification Service. 
C. AWS Simple Workflow Service. 
D. AWS Simple Email Servic 


Answer: A 


Explanation: Amazon Simple Queue Service (SQS) is a highly reliable distributed messaging system for storing messages as they travel between computers. By 
using Amazon SQS, developers can simply move data between distributed application components. It is used to achieve compartmentalization or loose coupling. 
In this case all the modules will send a message to the logger queue and the data will be processed by queue as per the resource availability. 

Reference: http://media.amazonwebservices.com/AWS_Building_Fault_To|erant_Applications.pdf 


NEW QUESTION 354 
Your manager has come to you saying that he is very confused about the bills he is receMng from AWS as he is getting different bills for every user and needs you 
to look into making it more understandable. Which of the following would be the best solution to meet his request? 


A. AWS Billing Aggregation 
B. Consolidated Billing 

C. Deferred Billing 

D. Aggregated Billing 
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Answer: B 


Explanation: Consolidated Billing enables you to consolidate payment for multiple AWS accounts within your company by designating a single paying account. 
Consolidated Billing enables you to see a combined view of AWS costs incurred by all accounts, as well as obtain a detailed cost report for each of the indMdual 
AWS accounts associated with your "Paying Account". Consolidated Billing is offered at no additional charge. Reference: https://aws.amazon.com/billing/faqs/ 


NEW QUESTION 355 
Which one of the following can't be used as an origin server with Amazon CloudFront? 


A. A web server running in your infrastructure 

B. Amazon S3 

C. Amazon Glacier 

D. A web server running on Amazon EC2 instances 


Answer: C 


Explanation: Amazon CloudFront is designed to work with Amazon S3 as your origin server, customers can also use Amazon C|oudFront with origin sewers 
running on Amazon EC2 instances or with any other custom origin. 
Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web.html 


NEW QUESTION 357 
You have written a CloudFormation template that creates | Elastic Load Balancer fronting 2 EC2 Instances. Which section of the template should you edit so that 
the DNS of the load balancer is returned upon creation of the stack? 


A. Resources 
B. Outputs 

C. Parameters 
D. Mappings 


Answer: B 


Explanation: You can use AWS CloudFormation’s sample templates or create your own templates to describe the AWS resources, and any associated 
dependencies or runtime parameters, required to run your application. 

Reference: 

http ://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html 


NEW QUESTION 359 
You have been asked to set up a database in AWS that will require frequent and granular updates. You know that you will require a reasonable amount of storage 
space but are not sure of the best option. What is the recommended storage option when you run a database on an instance with the above criteria? 


A. Amazon $3 

B. Amazon EBS 

C. AWS Storage Gateway 
D. Amazon Glacier 


Answer: B 


Explanation: Amazon EBS provides durable, block-level storage volumes that you can attach to a running Amazon EC2 instance. You can use Amazon EBS as a 
primary storage device for data that requires frequent and granular updates. For example, Amazon EBS is the recommended storage option when you run a 
database on an instance. 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html 


NEW QUESTION 361 

You have been asked to set up monitoring of your network and you have decided that Cloudwatch would be the best service to use. Amazon CloudWatch monitors 
your Amazon Web Services (AWS) resources and the applications you run on AWS in real-time. You can use CloudWatch to collect and track metrics, which are 
the variables you want to measure for your resources and applications. Which of the following items listed can AWS Cloudwatch monitor? 


A. Log files your applications generate. 

B. All of the items listed on this page. 

C. System-wide visibility into resource utilization, application performance, and operational health. 
D. Custom metrics generated by your applications and services . 


Answer: B 


Explanation: Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances, as 
well as custom metrics generated by your applications and services, and any log files your applications generate. You can use Amazon CloudWatch to gain 
system-wide visibility into resource utilization, application performance, and operational health. You can use these insights to react and keep your application 
running smoothly. 

Reference: http://aws.amazon.com/cloudwatch/ 


NEW QUESTION 362 
You need to quickly set up an email-sending service because a client needs to start using it in the next hour. Amazon Simple Email Service (Amazon SES) seems 
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to be the logical choice but there are several options available to set it up. Which of the following options to set up SES would best meet the needs of the client? 


A. Amazon SES console 
B. AWS CloudFormation 
C. SMTP Interface 

D. AWS Elastic Beanstalk 


Answer: A 


Explanation: Amazon SES is an outbound-only email-sending service that provides an easy, cost-effective way for you to send email. 

There are several ways that you can send an email by using Amazon SES. You can use the Amazon SES console, the Simple Mail Transfer Protocol (SMTP) 
interface, or you can call the Amazon SES API. Amazon SES console—This method is the quickest way to set up your system 

Reference: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/\Nelcome.html 


NEW QUESTION 365 
Identify a true statement about the On-Demand instances purchasing option provided by Amazon EC2. 


A. Pay for the instances that you use by the hour, with no long-term commitments or up-front payments. 

B. Make a low, one-time, up-front payment for an instance, reserve it for a one- or three-year term, and pay a significantly lower hourly rate for these instances. 
C. Pay for the instances that you use by the hour, with long-term commitments or up-front payments. 

D. Make a high, one-time, all-front payment for an instance, reserve it for a one- or three-year term, andpay a significantly higher hourly rate for these instance 


Answer: A 


Explanation: On-Demand instances allow you to pay for the instances that you use by the hour, with no long-term commitments or up-front payments. 
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/reserved-instances-offerings.html 


NEW QUESTION 368 
Which of the following statements is NOT true about using Elastic IP Address (EIP) in EC2-Classic and EC2-VPC platforms? 


A. In the EG2-VPC platform, the Elastic IP Address (EIP) does not remain associated with the instance when you stop it. 

B. In the EC2-Classic platform, stopping the instance disassociates the Elastic IP Address (EIP) from it. 

C. In the EC2-VPC platform, if you have attached a second network interface to an instance, when you disassociate the Elastic IP Address (EIP) from that 
instance, a new public IP address is not assigned to the instance automatically; you'll have to associate an EIP with it manually. 

D. In the EC2-Classic platform, if you disassociate an Elastic IP Address (EIP) from the instance, the instance is automatically assigned a new public IP address 
within a few minutes. 


Answer: A 


Explanation: In the EC2-Classic platform, when you associate an Elastic IP Address (EIP) with an instance, the instance's current public IP address is released to 
the EC2-Classic public IP address pool. If you disassociate an EIP from the instance, the instance is automatically assigned a new public IP address within a few 
minutes. In addition, stopping the instance also disassociates the EIP from it. 

But in the EC2-VPC platform, when you associate an EIP with an instance in a default Virtual Private Cloud (VPC), or an instance in which you assigned a public 
IP to the ethO network interface during launch, its current public IP address is released to the EC2-VPC public IP address pool. If you disassociate an 

EIP from the instance, the instance is automatically assigned a new public IP address within a few minutes. However, if you have attached a second network 
interface to the instance, the instance is not automatically assigned a new public IP address; you'll have to associate an EIP with it manually. The EIP remains 
associated with the instance when you stop it. 

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html 


NEW QUESTION 371 
You have a Business support plan with AWS. One of your EC2 instances is running Mcrosoft Windows Server 2008 R2 and you are having problems with the 
software. Can you receive support from AWS for this software? 


A. Yes 

B. No, AWS does not support any third-party software. 

C. No, Mcrosoft Windows Server 2008 R2 is not supported. 
D. No, you need to be on the enterprise support pla 


Answer: A 


Explanation: Third-party software support is available only to AWS Support customers enrolled for Business or Enterprise Support. Third-party support applies 
only to software running on Amazon EC2 and does not extend to assisting with on-premises software. An exception to this is a VPN tunnel configuration running 
supported devices for Amazon VPC. 

Reference: https://aws.amazon.com/premiumsupport/features/ 


NEW QUESTION 373 
After deciding that EMR will be useful in analysing vast amounts of data for a gaming website that you are architecting you have just deployed an Amazon EMR 
Cluster and wish to monitor the cluster performance. Which of the following tools cannot be used to monitor the cluster performance? 


A. Kinesis 

B. Ganglia 

C. CloudWatch Metrics 

D. Hadoop Web Interfaces 


Answer: A 
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Explanation: Amazon EMR provides several tools to monitor the performance of your cluster. Hadoop Web Interfaces 

Every cluster publishes a set of web interfaces on the master node that contain information about the cluster. You can access these web pages by using an SSH 
tunnel to connect them on the master node. For more information, see View Web Interfaces Hosted on Amazon EMR Clusters. 

CloudWatch Metrics 

Every cluster reports metrics to CloudWatch. CloudWatch is a web service that tracks metrics, and which you can use to set alarms on those metrics. For more 
information, see Monitor Metrics with CloudWatch. Ganglia 

Ganglia is a cluster monitoring tool. To have this available, you have to install Ganglia on the cluster when you launch it. After you've done so, you can monitor the 
cluster as it runs by using an SSH tunnel to connect to the Ganglia UI running on the master node. For more information, see Monitor Performance with Ganglia. 
Reference: 

http ://docs.aws.amazon.com/ElasticMapReduce/latest/DeveloperGuide/emr-troubleshoot-tools.html 


NEW QUESTION 376 
A user has launched one EC2 instance in the US West region. The user wants to access the RDS instance launched in the US East region from that EC2 instance. 
How can the user configure the access for that EC2 instance? 


A. Configure the IP range of the US West region instance as the ingress security rule of RDS 

B. It is not possible to access RDS of the US East region from the US West region 

C. Open the security group of the US West region in the RDS security group’s ingress rule 

D. Create an IAM role which has access to RDS and launch an instance in the US West region with it 


Answer: A 


Explanation: The user cannot authorize an Amazon EC2 security group if it is in a different AWS Region than the RDS DB instance. The user can authorize an IP 
range or specify an Amazon EC2 security group in the same region that refers to an IP address in another region. 
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html 


NEW QUESTION 379 

You need to create a load balancer in a VPC network that you are building. You can make your load balancer internal (private) or internet-facing (public). When 
you make your load balancer internal, a DNS name will be created, and it will contain the private IP address of the load balancer. An internal load balancer is not 
exposed to the internet. When you make your load balancer internet-facing, a DNS name will be created with the public IP address. If you want the Internet-facing 
load balancer to be connected to the Internet, where must this load balancer reside? 


A. The load balancer must reside in a subnet that is connected to the internet using the internet gateway. 
B. The load balancer must reside in a subnet that is not connected to the internet. 

C. The load balancer must not reside in a subnet that is connected to the internet. 

D. The load balancer must be completely outside of your VP 


Answer: A 


Explanation: When you create an internal Elastic Load Balancer in a VPC, you need to select private subnets that are in the same Availability Zone as your 
instances. If the VPC Elastic Load Balancer is to be public facing, you need to create the Elastic Load Balancer in a public subnet. A subnet is a public subnet if it 
is attached to an Internet Gateway (IGW) with a defined route to that gateway. Selecting more than one public subnet increases the availability of your Elastic Load 
Balancer. 

NB - Elastic Load Balancers in EC2-Classic are always Internet-facing load balancers. Reference: 

http ://docs.aws.amazon.com/ElasticLoadBalancing/|atest/DeveloperGuide/elb-internet-facing-load-balan cers.html 


NEW QUESTION 382 
Can you move a Reserved Instance from one Availability Zone to another? 


A. Yes, but each Reserved Instance is associated with a specific Region that cannot be changed. 
B. Yes, only in US-West-2. 

C. Yes, only in US-East-1. 

D. No 


Answer: A 


Explanation: Each Reserved Instance is associated with a specific Region, which is fixed for the lifetime of the reservation and cannot be changed. Each 
reservation can, however, be used in any of the available AZs within the associated Region. 
Reference: https://aws.amazon.com/rds/faqs/ 


NEW QUESTION 384 

You need to develop and run some new applications on AWS and you know that Elastic Beanstalk and CloudFormation can both help as a deployment 
mechanism for a broad range of AWS resources. Which of the following statements best describes the differences between Elastic Beanstalk and 
CljoudFormation? 


A. Elastic Beanstalk uses Elastic load balancing and CloudFormation doesn't. 

B. CloudFormation is faster in deploying applications than Elastic Beanstalk. 

C. Elastic Beanstalk is faster in deploying applications than C|oudFormation. 

D. CloudFormation is much more powerful than Elastic Beanstalk, because you can actually design and script custom resources 


Answer: D 
Explanation: These services are designed to complement each other. AWS Elastic Beanstalk provides an environment to easily develop and run applications in 


the cloud. It is integrated with developer tools and provides a one-stop experience for you to manage the lifecycle of your applications. AWS CloudFormation is a 
convenient deployment mechanism for a broad range of AWS resources. It supports the infrastructure needs of many different types of applications such as 
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existing enterprise applications, legacy applications, applications built using a variety of AWS resources and container-based solutions (including those built using 
AWS Elastic Beanstalk). 

AWS CloudFormation introduces two new concepts: The template, a JSON-format, text-based file that describes all the AWS resources you need to deploy to run 
your application and the stack, the set of AWS resources that are created and managed as a single unit when AWS CloudFormation instantiates a template. 
Reference: http://aws.amazon.com/c|oudformation/faqs/ 


NEW QUESTION 387 

You have recently joined a startup company building sensors to measure street noise and air quality in urban areas. The company has been running a pilot 
deployment of around 100 sensors for 3 months each sensor uploads 1KB of sensor data every minute to a backend hosted on AWS. 

During the pilot, you measured a peak or 10 IOPS on the database, and you stored an average of 3GB of sensor data per month in the database. 

The current deployment consists of a load-balanced auto scaled Ingestion layer using EC2 instances and a PostgreSQL RDS database with 500GB standard 
storage. 

The pilot is considered a success and your CEO has managed to get the attention or some potential investors. The business plan requires a deployment of at least 
IOOK sensors which needs to be supported by the backend. You also need to store sensor data for at least two years to be able to compare year over year 
Improvements. 

To secure funding, you have to make sure that the platform meets these requirements and leaves room for further scaling. Which setup win meet the 
requirements? 


A. Add an SQS queue to the ingestion layer to buffer writes to the RDS instance 

B. Ingest data into a DynamoDB table and move old data to a Redshift cluster 

C. Replace the RDS instance with a 6 node Redshift cluster with 96TB of storage 

D. Keep the current architecture but upgrade RDS storage to 3TB and IOK provisioned IOPS 


Answer: C 


NEW QUESTION 391 

You need a persistent and durable storage to trace call actMty of an IVR (Interactive Voice Response) system. Call duration is mostly in the 2-3 minutes 
timeframe. Each traced call can be either active or terminated. An external application needs to know each minute the list of currently active calls, which are 
usually a few calls/second. Put once per month there is a periodic peak up to 1000 calls/second for a few hours. The system is open 24/7 and any downtime 
should be avoided. 

Historical data is periodically archived to files. Cost saving is a priority for this project. 

What database implementation would better fit this scenario, keeping costs as low as possible? 


A. Use RDS Multi-AZ with two tables, one for -Active calls" and one for -Terminated ca Ils”. In this way the "Active calls_ table is always small and effective to 
access. 

B. Use DynamoDB with a "Calls" table and a Global Secondary Index on a "IsActive™ attribute that is present for active calls only In this way the Global Secondary 
index is sparse and more effective. 

C. Use DynamoDB with a 'Calls" table and a Global secondary index on a 'State" attribute that can equal to "active" or "terminated" in this way the Global 
Secondary index can be used for all Items in the table. 

D. Use RDS Multi-AZ with a "CALLS" table and an Indexed "STATE* field that can be equal to 'ACTIVE" or -TERMNATED" In this way the SOL query Is optimized 
by the use of the Index. 


Answer: A 


NEW QUESTION 393 

A web design company currently runs several FTP servers that their 250 customers use to upload and download large graphic files They wish to move this system 
to AWS to make it more scalable, but they wish to maintain customer privacy and Keep costs to a minimum. 

What AWS architecture would you recommend? 


A. ASK their customers to use an 53 client instead of an FTP clien 

B. Create a single 53 bucket Create an IAM user for each customer Put the IAM Users in a Group that has an IAM policy that permits access to sub-directories 
within the bucket via use of the 'username' Policy variable. 

C. Create a single 53 bucket with Reduced Redundancy Storage turned on and ask their customers to use an 53 client instead of an FTP client Create a bucket for 
each customer with a Bucket Policy that permits access only to that one customer. 

D. Create an auto-scaling group of FTP servers with a scaling policy to automatically scale-in when minimum network traffic on the auto-scaling group is below a 
given threshol 

E. Load a central list of ftp users from 53 as part of the user Data startup script on each Instance. 

F. Create a single 53 bucket with Requester Pays turned on and ask their customers to use an 53 client instead of an FTP client Create a bucket tor each 
customer with a Bucket Policy that permits access only to that one customer. 


Answer: A 


NEW QUESTION 396 

You have been asked to design the storage layer for an application. The application requires disk 

performance of at least 100,000 IOPS in addition, the storage layer must be able to survive the loss of an indMdual disk. EC2 instance, or Availability Zone without 
any data loss. The volume you provide must have a capacity of at least 3 TB. Which of the following designs will meet these objectives’? 


A. Instantiate a c3.8x|arge instance in us-east-1. Provision 4x1TB EBS volumes, attach them to the instance, and configure them as a single RAID 5 volum 
B. Ensure that EBS snapshots are performed every 15 minutes. 

C. Instantiate a c3.8xlarge instance in us-east-1. Provision 3xiTB EBS volumes, attach them to the Instance, and configure them as a single RAID 0 volum 
D. Ensure that EBS snapshots are performed every 15 minutes. 

E. Instantiate an i2.8xlarge instance in us-east-| 

F. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instanc 

G. Provision 3x1TB EBS volumes, attach them to the instance, and configure them as a second RAID 0 volum 

H. Configure synchronous, block-level replication from the ephemeral-backed volume to the EBS-backed volume. 

l. Instantiate a c3.8xlarge instance in us-east-1. Provision an AWS Storage Gateway and configure it for 3 TB of storage and 100,000 IOP 

J. Attach the volume to the instanc 

K. Instantiate an i2.8x|arge instance in us-east-| 
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L. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instanc 
M. Configure synchronous, block- level replication to an identically configured instance inus-east-| 


Answer: C 


NEW QUESTION 401 

An International company has deployed a multi-tier web application that relies on DynamoDB in a single region For regulatory reasons they need disaster recovery 
capability In a separate region with a Recovery Time Objective of 2 hours and a Recovery Point Objective of 24 hours They should synchronize their data on a 
regular basis and be able to provision me web application rapidly using CloudFormation. 

The objective is to minimize changes to the existing web application, control the throughput of DynamoDB used for the synchronization of data and synchronize 
only the modified elements. 

Which design would you choose to meet these requirements? 


A. Use AWS data Pipeline to schedule a DynamoDB cross region copy once a da 

B. create a Last updated’ attribute in your DynamoDB table that would represent the timestamp of the last update and use it as a filter. 

C. Use EMR and write a custom script to retrieve data from DynamoDB in the current region using a SCAN operation and push it to Dynamo DB in the second 
region. 

D. Use AWS data Pipeline to schedule an export of the DynamoDB table to 53 in the current region once a day then schedule another task immediately after it that 
will import data from 53 to DynamoDB in the other region. 

E. Send also each Ante into an SOS queue in me second region; use an auto-scaling group behind the SOS queue to replay the write in the second region. 


Answer: A 


NEW QUESTION 405 

An ERP application is deployed across multiple AZs in a single region. In the event of failure, the Recovery Time Objective (RTO) must be less than 3 hours, and 
the Recovery Point Objective (RPO) must be 15 minutes the customer realizes that data corruption occurred roughly 1.5 hours ago. 

What DR strategy could be used to achieve this RTO and RPO in the event of this kind of failure? 


A. Take hourly DB backups to 53, with transaction logs stored in 53 every 5 minutes. 

B. Use synchronous database master-slave replication between two availability zones. 

C. Take hourly DB backups to EC2 Instance store volumes with transaction logs stored In 53 every 5 minutes. 
D. Take 15 minute DB backups stored In Glacier with transaction logs stored in 53 every 5 minute 


Answer: A 


NEW QUESTION 406 

Your startup wants to implement an order fulfillment process for selling a personalized gadget that needs an average of 3-4 days to produce with some orders 
taking up to 6 months you expect 10 orders per day on your first day. 1000 orders per day after 6 months and 10,000 orders after 12 months. 

Orders coming in are checked for consistency men dispatched to your manufacturing plant for production quality control packaging shipment and payment 
processing If the product does not meet the quality standards at any stage of the process employees may force the process to repeat a step Customers are 
notified via email about order status and any critical issues with their orders such as payment failure. 

Your case architecture includes AWS Elastic Beanstalk for your website with an RDS MySQL instance for customer data and orders. 

How can you implement the order fulfillment process while making sure that the emails are delivered reliably? 


A. Add a business process management application to your Elastic Beanstalk app servers and re-use the ROS database for tracking order status use one of the 
Elastic Beanstalk instances to send emails to customers. 

B. Use SWF with an Auto Scaling group of actMty workers and a decider instance in another Auto Scaling group with min/max=l Use the decider instance to send 
emails to customers. 

C. Use SWF with an Auto Scaling group of actMty workers and a decider instance in another Auto Scaling group with min/max=l use SES to send emails to 
customers. 

D. Use an SOS queue to manage all process tasks Use an Auto Scaling group of EC2 Instances that poll the tasks and execute the 

E. Use SES to send emails to customers. 


Answer: C 


NEW QUESTION 407 

You have deployed a web application targeting a global audience across multiple AWS Regions under the domain name.example.com. You decide to use Route53 
Latency-Based Routing to serve web requests to users from the region closest to the user. To provide business continuity in the event of server downtime you 
configure weighted record sets associated with two web servers in separate Availability Zones per region. Dunning a DR test you notice that when you disable all 
web sewers in one of the regions Route53 does not automatically direct all users to the other region. What could be happening? {Choose 2 answers) 


A. Latency resource record sets cannot be used in combination with weighted resource record sets. 

B. You did not setup an HTIP health check tor one or more of the weighted resource record sets associated with me disabled web sewers. 

C. The value of the weight associated with the latency alias resource record set in the region with the disabled sewers is higher than the weight for the other 
region. 

D. One of the two working web sewers in the other region did not pass its HTIP health check. 

E. You did not set "Evaluate Target Health” to "Yes" on the latency alias resource record set associated with example com in the region where you disabled the 
sewers. 


Answer: BE 


Explanation: How Health Checks Work in Complex Amazon Route 53 Configurations 

Checking the health of resources in complex configurations works much the same way as in simple configurations. However, in complex configurations, you use a 
combination of alias resource record sets (including weighted alias, latency alias, and failover alias) and nonalias resource record sets to build a decision tree that 
gives you greater control over how Amazon Route 53 responds to requests. 

For more information, see How Health Checks Work in Simple Amazon Route 53 Configurations. 

For example, you might use latency alias resource record sets to select a region close to a user and use weighted resource record sets for two or more resources 
within each region to protect against the failure of a single endpoint or an Availability Zone. The following diagram shows this configuration. 

Here's how Amazon EC2 and Amazon Route 53 are configured: 
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You have Amazon EC2 instances in two regions, us-east-1 and ap-southeast-2. You want Amazon Route 53 to respond to queries by using the resource record 
sets in the region that provides the lowest latency for your customers, so you create a latency alias resource record set for each region. 

(You create the latency alias resource record sets after you create resource record sets for the indMdual Amazon EC2 instances.) 

Within each region, you have two Amazon EC2 instances. You create a weighted resource record set for each instance. The name and the type are the same for 
both of the weighted resource record sets in each region. 

When you have multiple resources in a region, you can create weighted or failover resource record sets for your resources. You can also create even more 
complex configurations by creating weighted alias or failover alias resource record sets that, in turn, refer to multiple resources. 

Each weighted resource record set has an associated health check. The IP address for each health check matches the | P address for the corresponding resource 
record set. This isn't required, but it's the most common configuration. 

For both latency alias resource record sets, you set the value of Evaluate Target Health to Yes. 

You use the Evaluate Target Health setting for each latency alias resource record set to make Amazon Route 53 evaluate the health of the alias targets-the 
weighted resource record sets-and respond accordingly. 

The preceding diagram illustrates the following sequence of events: 

Amazon Route 53 receives a query for example.com. Based on the latency for the user making the request, Amazon Route 53 selects the latency alias resource 
record set for the us-east-1 region. 

Amazon Route 53 selects a weighted resource record set based on weight. Evaluate Target Health is Yes for the latency alias resource record set, so Amazon 
Route 53 checks the health of the selected weighted resource record set. 

The health check failed, so Amazon Route 53 chooses another weighted resource record set based on weight and checks its health. That resource record set also 
is unhealthy. 

Amazon Route 53 backs out of that branch of the tree, looks for the latency alias resource record set with the next-best latency, and chooses the resource record 
set for ap-southeast-2. 

Amazon Route 53 again selects a resource record set based on weight, and then checks the health of the selected resource record set . The health check passed, 
so Amazon Route 53 returns the applicable value in response to the query. 

What Happens When You Associate a Health Check with an Alias Resource Record Set? 

You can associate a health check with an alias resource record set instead of or in addition to setting the value of Evaluate Target Health to Yes. However, it's 
generally more useful if Amazon Route 53 responds to queries based on the health of the underlying resources- the HTTP sewers, database servers, and 

other resources that your alias resource record sets refer to. For example, suppose the following configuration: 

You assign a health check to a latency alias resource record set for which the alias target is a group of weighted resource record sets. 

You set the value of Evaluate Target Health to Yes for the latency alias resource record set. 

In this configuration, both of the following must be true before Amazon Route 53 will return the applicable value for a weighted resource record set: 

The health check associated with the latency alias resource record set must pass. 

At least one weighted resource record set must be considered healthy, either because it's associated with a health check that passes or because it's not 
associated with a health check. In the latter case, Amazon Route 53 always considers the weighted resource record set healthy. 

If the health check for the latency alias resource record set fails, Amazon Route 53 stops responding to queries using any of the weighted resource record sets in 
the alias target, even if they're all healthy. Amazon Route 53 doesn't know the status of the weighted resource record sets because it never looks past the failed 
health check on the alias resource record set. 

What Happens When You Omit Health Checks? 

In a complex configuration, it's important to associate health checks with all of the non-alias resource record sets. Let's return to the preceding example, but 
assume that a health check is missing on one of the weighted resource record sets in the us-east-1 region: 

Here's what happens when you omit a health check on a non-alias resource record set in this configuration: 

Amazon Route 53 receives a query for example.com. Based on the latency for the user making the request, Amazon Route 53 selects the latency alias resource 
record set for the us-east-1 region. 

Amazon Route 53 looks up the alias target for the latency alias resource record set, and checks the status of the corresponding health checks. The health check 
for one weighted resource record set failed, so that resource record set is omitted from consideration. 

The other weighted resource record set in the alias target for the us-east-1 region has no health check. The corresponding resource might or might not be healthy, 
but without a health check, Amazon Route 53 has no way to know. Amazon Route 53 assumes that the resource is healthy and returns the applicable value in 
response to the query. 

What Happens When You Set Evaluate Target Health to No? 

In general, you also want to set Evaluate Target Health to Yes for all of the alias resource record sets. In the following example, all of the weighted resource record 
sets have associated health checks, but Evaluate Target Health is set to No for the latency alias resource record set for the us-east-1 region: 

Here's what happens when you set Evaluate Target Health to No for an alias resource record set in this configuration: 

Amazon Route 53 receives a query for example.com. Based on the latency for the user making the request, Amazon Route 53 selects the latency alias resource 
record set for the us-east-1 region. 

Amazon Route 53 determines what the alias target is for the latency alias resource record set, and checks the corresponding health checks. They're both failing. 
Because the value of Evaluate Target Health is No for the latency alias resource record set for the us-east-1 region, Amazon Route 53 must choose one resource 
record set in this branch instead of backing out of the branch and looking for a healthy resource record set in the ap-southeast-2 region. 


NEW QUESTION 409 

Your company previously configured a heavily used, dynamically routed VPN connection between your on-premises data center and AWS. You recently 
provisioned a DirectConnect connection and would like to start using the new connection. After configuring DirectConnect settings in the AWS Console, which of 
the following options win provide the most seamless transition for your users? 


A. Delete your existing VPN connection to avoid routing loops configure your DirectConnect router with the appropriate settings and verity network traffic is 
leveraging DirectConnect. 

B. Configure your DirectConnect router with a higher 8GP priority man your VPN router, verify network traffic is leveraging Directconnect and then delete your 
existing VPN connection. 

C. Update your VPC route tables to point to the DirectConnect connection configure your DirectConnect router with the appropriate settings verify network traffic is 
leveraging DirectConnect and then delete the VPN connection. 

D. Configure your DirectConnect router, update your VPC route tables to point to the DirectConnect connection, configure your VPN connection with a higher BGP 
point 

E. And verify network traffic is leveraging the DirectConnect connection. 


Answer: D 

NEW QUESTION 414 

You are designing the network infrastructure for an application sewer in Amazon VPC Users will access all the application instances from the Internet as well as 
from an on-premises network The on-premises network is connected to your VPC over an AWS Direct Connect link. 


How would you design routing to meet the above requirements? 


A. Configure a single routing Table with a default route via the Internet gateway Propagate a default route via BGP on the AWS Direct Connect customer route 
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B. Associate the routing table with all VPC subnets. 

C. Configure a single routing table with a default route via the internet gateway Propagate specific routes for the on-premises networks via BGP on the AWS Direct 
Connect customer router Associate the routing table with all VPC subnets. 

D. Configure a single routing table with two default routes: one to the inte rnet via an Internet gateway the other to the on-premises network via the VPN gateway 
use this routing table across all subnets in your VPC, 

E. Configure two routing tables one that has a default route via the Internet gateway and another that has a default route via the VPN gateway Associate both 
routing tables with each VPC subnet. 


Answer: A 


NEW QUESTION 417 

You are implementing AWS Direct Connect. You intend to use AWS public service end points such as Amazon 53, across the AWS Direct Connect link. You want 
other Internet traffic to use your existing link to an Internet Service Provider. 

What is the correct way to configure AW5 Direct connect for access to services such as Amazon 53? 


A. Configure a public Interface on your AW5 Direct Connect link Configure a static route via your AW5 Direct Connect link that points to Amazon 53 Advertise a 
default route to AW5 using BGP. 

B. Create a private interface on your AW5 Direct Connect lin 

C. Configure a static route via your AW5 Direct connect link that points to Amazon 53 Configure specific routes to your network in your VPC, 

D. Create a public interface on your AW5 Direct Connect link Redistribute BGP routes into your existing routing infrastructure advertise specific routes for your 
network to AW5. 

E. Create a private interface on your AW5 Direct connect lin 

F. Redistribute BGP routes into your existing routing infrastructure and advertise a default route to AW5. 


Answer: C 


NEW QUESTION 420 

You have deployed a three-tier web application in a VPC with a CIOR block of 10 0 0 0/ 28 You initially deploy two web servers, two application sewers, two 
database sewers and one NAT instance tor a total of seven EC2 instances The web. Application and database servers are deployed across two availability zones 
(AZs). You also deploy an ELB in front of the two web sewers, and use Route53 for DN5 Web (raffile gradually increases in the first few days following the 
deployment, so you attempt to double the number of instances in each tier of the application to handle the new load unfortunately some of these new instances fail 
to launch. 

Which of the following could De the root caused? (Choose 2 answers) 


A. AW5 resewes the first and the last private IP address in each subnet's CIDR block so you do not have enough addresses left to launch all of the new EC2 
instances 

B. The Internet Gateway (IGW) of your VPC has scaled-up, adding more instances to handle the traffic spike, reducing the number of available private IP 
addresses for new instance launches 

C. The ELB has scaled-up, adding more instances to handle the traffic spike, reducing the number of available private IP addresses for new instance launches 
D. AW5 reserves one IP address in each subnet's CIDR block for Route53 so you do not have enough addresses left to launch all of the new EC2 instances 
E. AW5 reserves the first four and the last IP address in each subnet's CIDR block so you do not haveenough addresses left to launch all of the new EC2 
instances 


Answer: CE 


NEW QUESTION 422 
You are designing Internet connectMty for your VPC. The Web servers must be available on the Internet. The application must have a highly available architecture. 
Which alternatives should you consider? (Choose 2 answers) 


A. Configure a NAT instance in your VPC Create a default route via the NAT instance and associate it with all subnets Configure a DNS A record that points to the 
NAT instance public IP address. 

B. Configure a C|oudFront distribution and configure the origin to point to the private IP addresses of your Web sewers Configure a Route53 CNAME record to 
your Cloud Front distribution. 

C. Place all your web servers behind EL8 Configure a Route53 CNME to point to the ELB DNS name. 

D. Assign EIPs to all web sewer 

E. Configure a Route53 record set with all EIP 

F. With health checks and DNS failover. 

G. Configure ELB with an EIP Place all your Web servers behind ELB Configure a Route53 A record that points to the EIP. 


Answer: CD 


NEW QUESTION 423 

You are tasked with moving a legacy application from a virtual machine running Inside your datacenter to an Amazon VPC Unfortunately this app requires access 
to a number of on-premises services and no one who configured the app still works for your company. Even worse there's no documentation for it. What will allow 
the application running inside the VPC to reach back and access its internal dependencies without being reconfigured? {Choose 3 answers) 


A. An AWS Direct Connect link between the VPC and the network housing the internal services. 
B. An Internet Gateway to allow a VPN connection. 

C. An Elastic IP address on the VPC instance 

D. An IP address space that does not conflict with the one on-premises 

E. Entries in Amazon Route 53 that allow the Instance to resolve its dependencies’ IP addresses 
F. A VM Import of the current virtual machine 


Answer: ADF 
Explanation: AWS Direct Connect 
AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private 


connectMty between AWS you're your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth 
throughput, and provide a more consistent network experience than Internet based connections. 
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AWS Direct Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using industry 
standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public 
resources such as objects stored in Amazon 53 using public IP address space, and private resources 

such as Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using private IP space, while maintaining network separation between the 
public and private environments. Virtual interfaces can be reconfigured at any time to meet your changing needs. 

What is AWS Direct Connect? 

AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard | gigabit or 10 gigabit Ethernet fiber-optic cable. One end of the 
cab le is connected to your router, the other to an AWS Direct Connect router. With this connection in place, you can create virtual interfaces directly to the AWS 
cloud (for example, to Amazon Elastic Compute Cloud {Amazon EC2) and Amazon Simple Storage Service (Amazon 53)) and to Amazon Virtual Private Cloud 
(Amazon VPC), bypassing Internet service providers in your network path. An AWS Direct Connect location provides access to Amazon Web Services in the 
region it is associated with, as well as access to other US regions. For example, you can provision a single connection to any AWS Direct Connect location in the 
US and use it to access public AWS services in all US Regions and AWS GovCloud (US). 

The following diagram shows how AWS Direct Connect interfaces with your network. 

Requirements 

To use AWS Direct Connect, your network must meet one of the following conditions: 

Your network is colocated with an existing AWS Direct Connect location. For more information on available AWS Direct Connect locations, go to 
http://aws.amazon.com/directconnect/. 

You are working with an AWS Direct Connect partner who is a member of the AWS Partner Network (APN). For a list of AWS Direct Connect partners who can 
help you connect, go to http://aws.amazon.com/directconnect 

You are working with an independent service provider to connect to AWS Direct Connect. In addition, your network must meet the following conditions: 
Connections to AWS Direct Connect require single mode fiber, 1OOOBASE-LX (1310nm) for 1 gigabit Ethernet, or 1OGBASE-LR {1310nm) for 10 gigabit Ethernet. 
Auto Negotiation for the port must be disabled. You must support 802.1Q VLANs across these connections. 

Your network must support Border Gateway Protocol (BGP) and BGP MD5 authentication. Optionally, 

you may configure Bidirectional Forwarding Detection (BFD). 

To connect to Amazon Virtual Private Cloud (Amazon VPC), you must first do the following: Provide a private Autonomous System Number (ASN). Amazon 
allocates a private IP address in the 

169.x.x.x range to you. 

Create a virtual private gateway and attach it to your VPC. For more information about creating a virtual private gateway, see Adding a Hardware Virtual Private 
Gateway to Your VPC in the Amazon VPC User Guide. 

To connect to public AWS products such as Amazon EC2 and Amazon 53, you need to provide the following: 

A public ASN that you own (preferred) or a private ASN. 

Public IP addresses (/31) (that is, one for each end of the BGP session) for each BGP session. If you do not have public | P addresses to assign to this connection, 
log on to AWS and then open a ticket with AWS Support. 

The public routes that you will advertise over BGP. 


NEW QUESTION 427 

You are migrating a legacy client-server application to AWS. The application responds to a specific DNS domain (e.g. www.examp|e.com) and has a 2-tier 
architecture, with multiple application sewers and a database server. Remote clients use TCP to connect to the application sewers. The application servers need to 
know the IP address of the clients in order to function properly and are currently taking that information from the TCP socket. A Multi-AZ RDS MySQL instance will 
be used for the database. During the migration you can change the application code, but you have to file a change request. 

How would you implement the architecture on AWS in order to maximize scalability and high availability? 


A. File a change request to implement Alias Resource support in the applicatio 

B. Use Route 53 Alias Resource Record to distribute load on two application servers in different AZs. 

C. File a change request to implement Latency Based Routing support in the applicatio 

D. Use Route 53 with Latency Based Routing enabled to distribute load on two application servers in different AZs. 

E. File a change request to implement Cross-Zone support in the applicatio 

F. Use an ELB with a TCP Listener and Cross-Zone Load Balancing enabled, two application servers in different AZs. 

G. File a change request to implement Proxy Protocol support in the applicatio 

H. Use an ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two application servers in different AZs. 
Answer: D 

NEW QUESTION 432 


You are designing a multi-platform web application for AWS The application will run on EC2 instances and will be accessed from PCs. tablets and smart phones 
Supported accessing platforms are Windows. MACOS. IOS and Android Separate sticky session and SSL certificate setups are required for different platform 
types which of the following describes the most cost effective and performance efficient architecture setup? 


A. Setup a hybrid architecture to handle session state and SSL certificates on-prem and separate EC2 Instance groups running web applications for different 
platform types running in a VPC 

B. Set up one ELB for all platforms to distribute load among multiple instance under it Each EC2 instance implements ail functionality for a particular platform. 

C. Set up two ELBs The first ELB handles SSL certificates for all platforms and the second ELB handles session stickiness for all platforms for each ELB run 
separate EC2 instance groups to handle the web application for each platform. 

D. Assign multiple ELBS to an EC2 instance or group of EC2 instances running the common components of the web application, one ELB for each platform type 
Session stickiness and SSL termination are done at the ELBs. 


Answer: D 


NEW QUESTION 433 

Your company has an on-premises multi-tier PHP web application, which recently experienced downtime due to a large burst In web traffic due to a company 
announcement Over the coming days, you are expecting similar announcements to drive similar unpredictable bursts, and are looking to find ways to quickly 
improve your infrastructures ability to handle unexpected increases in traffic. 

The application currently consists of 2 tiers a web tier which consists of a load balancer and several Linux Apache web servers as well as a database tier which 
hosts a Linux server hosting a MySQL database. Which scenario below will provide full site functionality, while helping to improve the ability of your application in 
the short timeframe required? 


A. Failover environment: Create an 53 bucket and configure it for website hostin 


B. Migrate your DNS to Route53 using zone file import, and leverage Route53 DNS failover to failover to the 53 hosted website. 
C. Hybrid environment: Create an AMI, which can be used to launch web servers in EC2. Create an Auto Scaling group, which uses the AMI to scale the web tier 
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based on incoming traffi 

D. Leverage Elastic Load Balancing to balance traffic between on-premises web servers and those hosted In AWS. 

E. Offload traffic from on-premises environment: Setup a CloudFront distribution, and configure CloudFront to cache objects from a custom origi 
F. Choose to customize your object cache behavior, and select a TIL that objects should exist in cache. 

G. Migrate to AWS: Use VM Import/Export to quickly convert an on-premises web server to an AM 

H. Create an Auto Scaling group, which uses the imported AMI to scale the web tier based on incoming traffi 

|. Create an RDS read replica and setup replication between the RDS instance and on-premises MySQL server to migrate the database. 


Answer: C 


NEW QUESTION 438 
You require the ability to analyze a large amount of data, which is stored on Amazon 53 using Amazon Elastic Map Reduce. You are using the cc2 8x large 
Instance type, whose CPUs are mostly idle during processing. Which of the below would be the most cost efficient way to reduce the runtime of the job? 


A. Create more smaller flies on Amazon 53. 

B. Add additional cc2 8x large instances by introducing a task group. 
C. Use smaller instances that have higher aggregate 1/0 performance. 
D. Create fewer, larger fi les on Amazon 53. 


Answer: C 


NEW QUESTION 440 

Your department creates regular analytics reports from your company's log files All log data is collected in Amazon 53 and processed by daily Amazon Elastic 
MapReduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse. 

Your CFO requests that you optimize the cost structure for this system. 

Which of the following alternatives will lower costs without compromising average performance of the system or data integrity for the raw data? 


A. Use reduced redundancy storage (RRS) for all data In 53. Use a combination of Spot Instances and Reserved Instances for Amazon EMR job 
B. Use Reserved Instances for Amazon Redshift. 

C. Use reduced redundancy storage (RRS) for PDF and .csv data in 53. Add Spot Instances to EMR job 

D. Use Spot Instances for Amazon Redshift. 

E. Use reduced redundancy storage (RRS) for PDF and .csv data In Amazon 53. Add Spot Instances to Amazon EMR job 

F. Use Reserved Instances for Amazon Redshift. 

G. Use reduced redundancy storage (RRS) for all data in Amazon 53. Add Spot Instances to Amazon EMR job 

H. Use Reserved Instances for Amazon Redshift. 


Answer: C 


Explanation: Using Reduced Redundancy Storage 

Amazon 53 stores objects according to their storage class. It assigns the storage class to an object when it is written to Amazon 53. You can assign objects a 
specific sto rage class (standard or reduced redundancy) only when you write the objects to an Amazon 53 bucket or when you copy objects that are already 
stored in Amazon 53. Standard is the default storage class. For information about storage classes, see Object Key and Metadata. 

In order to reduce storage costs, you can use reduced redundancy storage for noncritical, reproducible data at lower levels of redundancy than Amazon 53 
provides with standard storage. The lower level of redundancy results in less durability and availability, but in many cases, the lower costs can make 

reduced redundancy storage an acceptable storage solution. For example, it can be a cost effective solution for sharing media content that is durably stored 
elsewhere. It can also make sense if you are storing thumbnails and other resized images that can be easily reproduced from an original image. Reduced 
redundancy storage is designed to provide 99.99% durability of objects over a given year. 

This durability level corresponds to an average annual expected loss of 0.01% of objects. For example, if you store 10,000 objects using the RRS option, you can, 
on average, expect to incur an annual loss of a single object per year (0.01% of 10,000 objects). 

Note 

This annual loss represents an expected average and does not guarantee the loss of less than 0.01% of objects in a given year. 

Reduced redundancy storage stores objects on multiple devices across multiple facilities, providing 400 times the durability of a typical disk drive, but it does not 
replicate objects as many times as Amazon 53 standard storage. In addition, reduced redundancy storage is designed to sustain the loss of data in a single facility. 
If an object in reduced redundancy storage has been lost, Amazon 53 will return a 405 error on requests made to that object. Amazon 53 also offers notifications 
for reduced redundancy storage object loss: you can configure your bucket so that when Amazon 53 detects the loss of an RRS object, a notification will be sent 
through Amazon Simple Notification Service (Amazon SNS). You can then replace the lost object. To enable notifications, you can use the Amazon 53 console to 
set the Notifications property of your bucket. 


NEW QUESTION 442 

You are the new IT architect in a company that operates a mobile sleep tracking application 

When activated at night, the mobile app is sending collected data points of 1 kilobyte every 5 minutes to 

your backend 

The backend takes care of authenticating the user and writing the data points into an Amazon DynamoDB table. 

Every morning, you scan the table to extract and aggregate last night's data on a per user basis, and store the results in Amazon 53. 

Users are notified via Amazon 5NI5 mobile push notifications that new data is available, which is parsed and visualized by (The mobile app Currently you have 
around IOOk users who are mostly based out of North America. 

You have been tasked to optimize the architecture of the backend system to lower cost what would you recommend? (Choose 2 answers} 


A. Create a new Amazon DynamoDB (able each day and drop the one for the previous day after its data is on Amazon 53. 

B. Have the mobile app access Amazon DynamoDB directly instead of J50N files stored on Amazon 53. 

C. Introduce an Amazon SQS queue to buffer writes to the Amazon DynamoDB table and reduce provisioned write throughput. 
D. Introduce Amazon Elasticache lo cache reads from the Amazon DynamoDB table and reduce provisioned read throughput. 
E. Write data directly into an Amazon Redshift cluster replacing both Amazon DynamoDB and Amazon 53. 


Answer: BD 


NEW QUESTION 447 
Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high resolution MP4 format. Your workforce is distributed 
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globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your company has no video 
transcoding expertise and it required you may need to pay for a consultant. 
How do you implement the most cost-efficient architecture without compromising high availability and quality of video delivery’? 


A. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queu 
B. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few day 

C. CloudFront to serve HLS transcoded videos from EC2. 

D. Elastic Transcoder to transcode original high-resolution MP4 videos to HL 

E. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few day 

F. CloudFront to serve HLS transcoded videos from EC2. 

G. Elastic Transcoder to transcode original high-resolution NIP4 videos to HL 

H. 53 to host videos with Lifecycle Management to archive original files to Glacier after a few day 

|. CloudFront to serve HLS transcoded videos from 53. 

J. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queu 
K. 53 to host videos with Lifecycle Management to archive all files to Glacier after a few day 

L. CloudFront to serve HLS transcoded videos from Glacier. 


Answer: C 


NEW QUESTION 449 

You've been hired to enhance the overall security posture for a very large e-commerce site They have a well architected multi-tier application running in a VPC that 
uses ELBs in front of both the web and the app 

tier with static assets served directly from 53 They are using a combination of RDS and DynamoOB for their dynamic data and then archMng nightly into 53 for 
further processing with EMR 

They are concerned because they found QUESTION able log entries and suspect someone is attempting to gain unauthorized access. 

Which approach provides a cost effective scalable mitigation to this kind of attack? 


A. Recommend that they lease space at a DirectConnect partner location and establish a IG DirectConnect connection to their vPC they would then establish 
Internet connectMty into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection 
into their application running in their VPC, 

B. Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier sub net. 

C. Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host based WAF They would redirect Route 53 to resolve to the 
new WAF tier ELB The WAF tier would thier pass the traffic to the current web tier The web tier Security Groups would be updated to only allow traffic from the 
WAF tier Security Group 

D. Remove all but TLS 1 2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality. 


Answer: C 


NEW QUESTION 451 

You currently operate a web application In the AWS US-East region The application runs on an autoscaled layer of EC2 instances and an RDS Multi-AZ database 
Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.1AM And RDS resources. 
The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend? 


A. Create a new CloudTrail trail with one new 53 bucket to store the logs and with the global services option selected Use IAM roles 53 bucket policies and Multi 
Factor Authentication (MFA) Delete on the 53 bucket that stores your logs. 

B. Create a new CloudTrail with one new 53 bucket to store the logs Configure SNS to send log file delivery notifications to your management system Use IAM 
roles and 53 bucket policies on the 53 bucket mat stores your logs. 

C. Create a new CloudTrail trail with an existing 53 bucket to store the logs and with the global services option selected Use 53 ACLs and Multi Factor 
Authentication (MFA) Delete on the 53 bucket that stores your logs. 

D. Create three new CjoudTrail trails with three new 53 buckets to store the logs one for the AWS Management console, one for AWS 5DKs and one for command 
line tools Use IAM roles and 53 bucket policies on the 53 buckets that store your logs. 


Answer: A 


NEW QUESTION 455 

An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web tier and application tier that will utilize Amazon 
DynamoDB for storage when creating the CloudFormation template which of the following would allow the application instance access to the DynamoDB tables 
without exposing API credentials? 


A. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role 
to the application instances by referencing an instance profile. 

B. Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys from an already created IAM user that has me 
permissions required to read and write from the required DynamoDB table. 

C. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role 
in the instance profile property of the application instance. 

D. Create an identity and Access Management user in the CloudFormation template that has permissions to read and write from the required DynamoDB table, 
use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data. 


Answer: C 


NEW QUESTION 457 

Your company has recently extended its datacenter into a VPC on AVVS to add burst computing capacity as needed Members of your Network Operations Center 
need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary You don't want to create new IAM users for each 
NOC member and make those users sign in again to the AWS Management Console Which option below will meet the needs for your NOC members? 


A. Use OAuth 2 0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AVVS Management Console. 

B. Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console. 

C. Use your on-premises SAML 2.0-compliant identity provider (IOP) to grant the NOC members federated access to the AWS Management Console via the AWS 
sing le sign-on (550) endpoint. 
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D. Use your on-premises SAML2.0-compliam identity provider (IOP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS 
Management Console. 


Answer: D 


NEW QUESTION 461 

You are designing an SSUTLS solution that requires HTIPS clients to be authenticated by the Web server using client certificate authentication. The solution must 
be resilient. 

Which of the following options would you consider for configuring the web server infrastructure? (Choose 2 answers) 


A. Configure ELB with TCP listeners on TCP/4d3. And place the Web servers behind it. 

B. Configure your Web servers with EIPS Place the Web servers in a Route53 Record Set and configure health checks against all Web servers. 
C. Configure ELB with HTIPS listeners, and place the Web servers behind it. 

D. Configure your web servers as the origins for a Cloud Front distributio 

E. Use custom SSL certificates on your Cloud Front distribution. 


Answer: AB 


NEW QUESTION 465 

You have an application running on an EC2 Instance which will allow users to download fl ies from a private 53 bucket using a pre-assigned URL. Before 
generating the URL the application should verify the existence of the fi le in 53. 

How should the application use AWS credentials to access the 53 bucket securely? 


A. Use the AWS account access Keys the application retrieves the credentials from the source code of the application. 

B. Create an IAM user for the application with permissions that allow list access to the 53 bucket launch the instance as the IAM user and retrieve the IAM user's 
credentials from the EC2 instance user data. 

C. Create an IAM role for EC2 that allows list access to objects in the 53 bucke 

D. Launch the instance with the role, and retrieve the role's credentials from the EC2 Instance metadata 

E. Create an IAM user for the application with permissions that allow list access to the 53 bucke 

F. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user. 


Answer: C 


NEW QUESTION 467 

You have a periodic Image analysis application that gets some files In Input analyzes them and tor each file writes some data in output to a ten file the number of 
files in input per day is high and concentrated in a few hours of the day. 

Currently you have a server on EC2 with a large EBS volume that hosts the input data and the results it takes almost 20 hours per day to complete the process 
What services could be used to reduce the elaboration time and improve the availability of the solution? 


A. 53 to store 1/0 file 

B. SOS to distribute elaboration commands to a group of hosts working in paralle 

C. Auto scaling to dynamically size the group of hosts depending on the length of the SOS queue 

D. EBS with Provisioned IOPS (PIOPS) to store 1/0 file 

E. SNS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group of hosts depending on the number of 
SNS notifications 

F. 53 to store 1/0 files, SNS to distribute evaporation commands to a group of hosts working in paralle 

G. Auto scaling to dynamically size the group of hosts depending on the number of SNS notifications 

H. EBS with Provisioned IOPS (PIOPS) to store 1/0 files SOS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to 
dynamically size the group ot hosts depending on the length of the SOS queue. 


Answer: D 


Explanation: Amazon EBS allows you to create storage volumes and attach them to Amazon EC2 instances. Once attached, you can create a file system on top 
of these volumes, run a database, or use them in any other way you would use a block device. Amazon EBS volumes are placed in a specific Availability Zone, 
where they are automatically replicated to protect you from the failure of a single component. 

Amazon EBS provides three volume types: General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic. The three volume types differ in performance 
characteristics and cost, so you can choose the right storage performance and price for the needs of your applications. All EBS volume types offer the same 
durable snapshot capabilities and are designed for 99.999% availability. 


NEW QUESTION 471 

You require the ability to analyze a customer's clickstream data on a website so they can do behavioral analysis. Your customer needs to know what sequence of 
pages and ads their customer clicked on. This data will be used in real time to modify the page layouts as customers click through the site to increase stickiness 
and advertising click-through. Which option meets the requirements for captioning and analyzing this data? 


A. Log clicks in weblogs by URL store to Amazon 53, and then analyze with Elastic MapReduce 

B. Push web clicks by session to Amazon Kinesis and analyze behavior using Kinesis workers 

C. Write click events directly to Amazon Redshift and then analyze with SQL 

D. Publish web clicks by session to an Amazon SQS queue men periodically drain these events to Amazon RDS and analyze with sol 
Answer: B 


Explanation: Reference: http:/ /www.slideshare.net/AmazonWebServices/aws-webcast-introduction-to-amazon-kinesis 


NEW QUESTION 472 
A company is running a batch analysis every hour on their main transactional DB. running on an RDS MySQL instance to populate their central Data Warehouse 
running on Redshift During the execution of the batch their transactional applications are very slow When the batch completes they need to update the top 
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management dashboard with the new data The dashboard is produced by another system running on-premises that is currently started when a manually-sent 
email notifies that an update is required The on-premises system cannot be modified because is managed by another team. 
How would you optimize this scenario to solve performance issues and automate the process as much as possible? 


A. Replace RDS with Redshift for the batch analysis and SNS to notify the on-premises system to update the dashboard 

B. Replace ROS with Redshift for the oaten analysis and SQS to send a message to the on-premises system to update the dashboard 
C. Create an RDS Read Replica for the batch analysis and SNS to notify me on-premises system to update the dashboard 

D. Create an RDS Read Replica for the batch analysis and SQS to send a message to the on-premises system to update the dashboard. 


Answer: A 


NEW QUESTION 477 

To serve Web traffic for a popular product your chief financial officer and IT director have purchased 10 ml large heavy utilization Reserved Instances (RIs) evenly 
spread across two availability zones: 

Route 53 is used to deliver the traffic to an Elastic Load Balancer (ELB). After several months, the product grows even more popular and you need additional 
capacity As a result, your company purchases two C3.2x|arge medium utilization Rls You register the two c3 2xlarge instances with your ELB and quickly find that 
the ml large instances are at 100% of capacity and the c3 2xlarge instances have significant capacity that's unused Which option is the most cost effective and 
uses EC2 capacity most effectively? 


A. Use a separate ELB for each instance type and distribute load to ELBs with Route 53 weighted round robin 

B. Configure Autoscaning group and Launch Configuration with ELB to add up to 10 more on-demand ml large instances when triggered by Cloudwatch shut off c3 
2xlarge instances 

C. Route traffic to EC2 ml large and c3 2xlarge instances directly using Route 53 latency based routing and health checks shut off ELB 

D. Configure ELB with two c3 2xiarge Instances and use on-demand Autoscaling group for up to two additional c3.2x|arge instances Shut on mi .|arge instances. 


Answer: D 


NEW QUESTION 479 
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